Entitlement required: resetPassword (Reset password).

Note: To use this API, password reset must be enabled in the Cloud Directory identity provider.

Initiates a reset password request for the user. Each step defines a method to verify the user's identity. Valid methods are emailLink, emailotp, smsotp, voiceotp, totp, fingerprint, and userpresence. A transaction identifier, steps remaining, and the next step to perform are returned in the response. When multiple steps are associated with the transaction, call the POST /v1.0/usc/password/resetter/{trxId}/validator API to verify the user's identity until only one step remains. When one step remains, call the PUT /v1.0/usc/password/resetter/{trxId} to verify the last step and reset the user's password.

The totp, fingerprint, and userpresence verification methods require user enrollment. The fingerprint method also works with facial recognition. The emailotp, smsotp, and voiceotp verification methods do not require user enrollment, unless the authentication factors tenant configuration specifies "User-enrolled methods only".

When the system cannot reset the password, the audit event that is generated contains the cause of the error.

Notifications can be branded by passing in the themeId as a query parameter. The templates for branding MFA notications are located at authentication/mfa/.

Rate Limiting:
- This endpoint is rate limited to 2 requests per 30 minutes per tenant and username combination.
- If the rate limit is exceeded, a 429 (Too many requests) response will be returned.