[{"data":1,"prerenderedAt":1174},["ShallowReactive",2],{"navigation":3,"\u002Fsecurity\u002Fauthentication":395,"\u002Fsecurity\u002Fauthentication-surround":1169},[4,23,53,78,107,142,166,202,238,277,306,361],{"title":5,"path":6,"stem":7,"children":8,"icon":22},"Getting Started","\u002Fgetting-started","1.getting-started\u002F1.index",[9,12,17],{"title":10,"path":6,"stem":7,"icon":11},"Introduction","i-lucide-house",{"title":13,"path":14,"stem":15,"icon":16},"Usage","\u002Fgetting-started\u002Fusage","1.getting-started\u002F3.usage","i-lucide-sliders",{"title":18,"path":19,"stem":20,"icon":21},"Signing in on the mobile app","\u002Fgetting-started\u002Fmobile-app-sign-in","1.getting-started\u002F4.mobile-app-sign-in","i-lucide-smartphone",false,{"title":24,"icon":22,"path":25,"stem":26,"children":27,"page":22},"Billing & Plans","\u002Fbilling","10.billing",[28,33,38,43,48],{"title":29,"path":30,"stem":31,"icon":32},"Plans","\u002Fbilling\u002Fplans","10.billing\u002F1.plans","i-lucide-credit-card",{"title":34,"path":35,"stem":36,"icon":37},"Limits & Usage","\u002Fbilling\u002Flimits-and-usage","10.billing\u002F2.limits-and-usage","i-lucide-gauge",{"title":39,"path":40,"stem":41,"icon":42},"Managing Your Subscription","\u002Fbilling\u002Fmanaging-your-subscription","10.billing\u002F3.managing-your-subscription","i-lucide-receipt",{"title":44,"path":45,"stem":46,"icon":47},"Add-ons","\u002Fbilling\u002Fadd-ons","10.billing\u002F4.add-ons","i-lucide-puzzle",{"title":49,"path":50,"stem":51,"icon":52},"Integrations","\u002Fbilling\u002Fintegrations","10.billing\u002F5.integrations","i-lucide-plug",{"title":54,"icon":22,"path":55,"stem":56,"children":57,"page":22},"Settings","\u002Fsettings","11.settings",[58,62,66,70,74],{"title":59,"path":60,"stem":61},"General","\u002Fsettings\u002Fgeneral","11.settings\u002F1.general",{"title":63,"path":64,"stem":65},"Leave Types","\u002Fsettings\u002Fleavetype","11.settings\u002F2.leaveType",{"title":67,"path":68,"stem":69},"Carry Forward","\u002Fsettings\u002Fcarryforward","11.settings\u002F3.carryForward",{"title":71,"path":72,"stem":73},"Department Management","\u002Fsettings\u002Fdepartments","11.settings\u002F4.departments",{"title":75,"path":76,"stem":77},"Public Holidays","\u002Fsettings\u002Fpublicholiday","11.settings\u002F5.publicholiday",{"title":79,"path":80,"stem":81,"children":82,"page":22},"Mcp","\u002Fmcp","12.mcp",[83,88,92,97,102],{"title":84,"path":85,"stem":86,"icon":87},"Overview","\u002Fmcp\u002Foverview","12.mcp\u002F1.overview","i-lucide-bot",{"title":89,"path":90,"stem":91,"icon":52},"Connecting","\u002Fmcp\u002Fconnecting","12.mcp\u002F2.connecting",{"title":93,"path":94,"stem":95,"icon":96},"Tools Reference","\u002Fmcp\u002Ftools","12.mcp\u002F3.tools","i-lucide-wrench",{"title":98,"path":99,"stem":100,"icon":101},"Security","\u002Fmcp\u002Fsecurity","12.mcp\u002F4.security","i-lucide-shield",{"title":103,"path":104,"stem":105,"icon":106},"Integrating Your Own MCP Client","\u002Fmcp\u002Fcustom-client","12.mcp\u002F5.custom-client","i-lucide-code",{"title":108,"icon":22,"path":109,"stem":110,"children":111,"page":22},"Leave Management","\u002Fleave-management","2.leave-management",[112,117,122,127,132,137],{"title":113,"path":114,"stem":115,"icon":116},"Leave Management Overview","\u002Fleave-management\u002Foverview","2.leave-management\u002F1.overview","i-lucide-palmtree",{"title":118,"path":119,"stem":120,"icon":121},"Requesting Leave","\u002Fleave-management\u002Frequesting-leave","2.leave-management\u002F2.requesting-leave","i-lucide-calendar-plus",{"title":123,"path":124,"stem":125,"icon":126},"Leave Balances","\u002Fleave-management\u002Fleave-balances","2.leave-management\u002F3.leave-balances","i-lucide-wallet",{"title":128,"path":129,"stem":130,"icon":131},"Group Booking","\u002Fleave-management\u002Fgroup-booking","2.leave-management\u002F4.group-booking","i-lucide-users",{"title":133,"path":134,"stem":135,"icon":136},"Editing and Cancelling Leave","\u002Fleave-management\u002Fediting-and-cancelling","2.leave-management\u002F5.editing-and-cancelling","i-lucide-pencil",{"title":138,"path":139,"stem":140,"icon":141},"Leave Troubleshooting","\u002Fleave-management\u002Ftroubleshooting","2.leave-management\u002F6.troubleshooting","i-lucide-life-buoy",{"title":143,"icon":22,"path":144,"stem":145,"children":146,"page":22},"Approvals","\u002Fapprovals","3.approvals",[147,152,157,161],{"title":148,"path":149,"stem":150,"icon":151},"Approvals Overview","\u002Fapprovals\u002Foverview","3.approvals\u002F1.overview","i-lucide-check-check",{"title":153,"path":154,"stem":155,"icon":156},"Leave Approvals","\u002Fapprovals\u002Fleave-approvals","3.approvals\u002F2.leave-approvals","i-lucide-calendar-check",{"title":158,"path":159,"stem":160,"icon":42},"Expense Approvals","\u002Fapprovals\u002Fexpense-approvals","3.approvals\u002F3.expense-approvals",{"title":162,"path":163,"stem":164,"icon":165},"Time Approvals","\u002Fapprovals\u002Ftime-approvals","3.approvals\u002F4.time-approvals","i-lucide-clock-9",{"title":167,"icon":22,"path":168,"stem":169,"children":170,"page":22},"Time tracking & monitoring","\u002Ftime-tracking","4.Time Tracking",[171,176,181,186,190,194,198],{"title":172,"path":173,"stem":174,"icon":175},"Clocking In & Location","\u002Ftime-tracking\u002Fclock-in-and-location","4.Time Tracking\u002F5.clock-in-and-location","i-lucide-map-pin",{"title":177,"path":178,"stem":179,"icon":180},"Overtime & Pay-Period Lockdown","\u002Ftime-tracking\u002Fovertime-and-lockdown","4.Time Tracking\u002F6.overtime-and-lockdown","i-lucide-lock",{"title":182,"path":183,"stem":184,"icon":185},"Geofencing","\u002Ftime-tracking\u002Fgeofencing","4.Time Tracking\u002F7.geofencing","i-lucide-map",{"title":187,"path":188,"stem":189},"Time & Projects","\u002Ftime-tracking\u002Ftimeandprojects","4.Time Tracking\u002FTime&Projects",{"title":191,"path":192,"stem":193},"Time Tracking","\u002Ftime-tracking\u002Ftime-tracking","4.Time Tracking\u002FTime-tracking",{"title":195,"path":196,"stem":197},"Timeboard","\u002Ftime-tracking\u002Ftimeboard","4.Time Tracking\u002FTimeBoard",{"title":199,"path":200,"stem":201},"Timesheets","\u002Ftime-tracking\u002Ftimesheets","4.Time Tracking\u002FTimesheets",{"title":203,"icon":22,"path":204,"stem":205,"children":206,"page":22},"Expenses","\u002Fexpenses","5.expenses",[207,211,215,219,223,228,233],{"title":208,"path":209,"stem":210},"Expense Claims","\u002Fexpenses\u002Foverview","5.expenses\u002F1.overview",{"title":212,"path":213,"stem":214},"Add & Manage Purchases","\u002Fexpenses\u002Fpurchases","5.expenses\u002F2.purchases",{"title":216,"path":217,"stem":218},"Travel & Mileage Entry","\u002Fexpenses\u002Ftravelentries","5.expenses\u002F3.travelentries",{"title":220,"path":221,"stem":222,"icon":32},"Company Card Expenses","\u002Fexpenses\u002Fcompany-cards","5.expenses\u002F4.company-cards",{"title":224,"path":225,"stem":226,"icon":227},"Per Diems","\u002Fexpenses\u002Fper-diems","5.expenses\u002F5.per-diems","i-lucide-utensils",{"title":229,"path":230,"stem":231,"icon":232},"Receipt Scanning","\u002Fexpenses\u002Freceipt-scanning","5.expenses\u002F6.receipt-scanning","i-lucide-scan-line",{"title":234,"path":235,"stem":236,"icon":237},"Statuses & Submission","\u002Fexpenses\u002Fstatuses-and-submission","5.expenses\u002F7.statuses-and-submission","i-lucide-git-pull-request-arrow",{"title":239,"icon":22,"path":240,"stem":241,"children":242,"page":22},"Documents & E-Signatures","\u002Fdocuments","6.documents",[243,247,252,257,262,267,272],{"title":84,"path":244,"stem":245,"icon":246},"\u002Fdocuments\u002Foverview","6.documents\u002F1.overview","i-lucide-folder-open",{"title":248,"path":249,"stem":250,"icon":251},"Uploading Documents","\u002Fdocuments\u002Fuploading","6.documents\u002F2.uploading","i-lucide-upload",{"title":253,"path":254,"stem":255,"icon":256},"E-Signatures","\u002Fdocuments\u002Fe-signatures","6.documents\u002F3.e-signatures","i-lucide-pen-tool",{"title":258,"path":259,"stem":260,"icon":261},"Audit Trail & Certificate","\u002Fdocuments\u002Faudit-trail","6.documents\u002F4.audit-trail","i-lucide-file-check",{"title":263,"path":264,"stem":265,"icon":266},"Templates & Bulk Send","\u002Fdocuments\u002Ftemplates-and-bulk-send","6.documents\u002F5.templates-and-bulk-send","i-lucide-layout-template",{"title":268,"path":269,"stem":270,"icon":271},"Onboarding","\u002Fdocuments\u002Fonboarding","6.documents\u002F6.onboarding","i-lucide-user-plus",{"title":273,"path":274,"stem":275,"icon":276},"Offboarding","\u002Fdocuments\u002Foffboarding","6.documents\u002F7.offboarding","i-lucide-user-minus",{"title":278,"icon":22,"path":279,"stem":280,"children":281,"page":22},"People & HR","\u002Fpeople","7.people",[282,286,291,296,301],{"title":283,"path":284,"stem":285,"icon":131},"Directory & Profiles","\u002Fpeople\u002Fdirectory-and-profiles","7.people\u002F1.directory-and-profiles",{"title":287,"path":288,"stem":289,"icon":290},"Managing Users","\u002Fpeople\u002Fmanaging-users","7.people\u002F2.managing-users","i-lucide-user-cog",{"title":292,"path":293,"stem":294,"icon":295},"HR Records","\u002Fpeople\u002Fhr-records","7.people\u002F3.hr-records","i-lucide-folder-archive",{"title":297,"path":298,"stem":299,"icon":300},"Performance","\u002Fpeople\u002Fperformance","7.people\u002F4.performance","i-lucide-target",{"title":302,"path":303,"stem":304,"icon":305},"Training","\u002Fpeople\u002Ftraining","7.people\u002F5.training","i-lucide-graduation-cap",{"title":307,"icon":22,"path":308,"stem":309,"children":310,"page":22},"Features","\u002Ffeatures","8.features",[311,315,319,324,329,333,337,341,345,349,353,357],{"title":312,"path":313,"stem":314},"Dashboard","\u002Ffeatures\u002Fdashboard","8.features\u002F1.dashboard",{"title":316,"path":317,"stem":318},"SMTP troubleshoot","\u002Ffeatures\u002Fsmtp-troubleshoot","8.features\u002F10.smtp-troubleshoot",{"title":320,"path":321,"stem":322,"icon":323},"Notifications","\u002Ffeatures\u002Fnotifications","8.features\u002F11.notifications","i-lucide-bell",{"title":325,"path":326,"stem":327,"icon":328},"Reports","\u002Ffeatures\u002Freports","8.features\u002F12.reports","i-lucide-bar-chart-3",{"title":330,"path":331,"stem":332},"Calendar & Leave Overview","\u002Ffeatures\u002Fcalendar","8.features\u002F2.calendar",{"title":334,"path":335,"stem":336},"Calendar Integration","\u002Ffeatures\u002Fcalendar-integration","8.features\u002F3.calendar-integration",{"title":338,"path":339,"stem":340},"Schedules","\u002Ffeatures\u002Fschedules","8.features\u002F4.schedules",{"title":342,"path":343,"stem":344},"Project Management","\u002Ffeatures\u002Fprojects","8.features\u002F5.projects",{"title":346,"path":347,"stem":348},"Expense Settings","\u002Ffeatures\u002Fexpense-settings","8.features\u002F6.expense-settings",{"title":350,"path":351,"stem":352},"Auth0 SSO Integration","\u002Ffeatures\u002Fauth0-integration","8.features\u002F7.auth0-integration",{"title":354,"path":355,"stem":356},"Password & Authentication Policy","\u002Ffeatures\u002Fpolicies","8.features\u002F8.policies",{"title":358,"path":359,"stem":360},"Email Configuration (SMTP)","\u002Ffeatures\u002Femail-configuration","8.features\u002F9.email-configuration",{"title":362,"icon":22,"path":363,"stem":364,"children":365,"page":22},"Security & Privacy","\u002Fsecurity","9.security",[366,371,376,380,385,390],{"title":367,"path":368,"stem":369,"icon":370},"Security Overview","\u002Fsecurity\u002Foverview","9.security\u002F1.overview","i-lucide-shield-check",{"title":372,"path":373,"stem":374,"icon":375},"Authentication","\u002Fsecurity\u002Fauthentication","9.security\u002F2.authentication","i-lucide-log-in",{"title":377,"path":378,"stem":379,"icon":21},"Two-Factor & Devices","\u002Fsecurity\u002Ftwo-factor-and-devices","9.security\u002F3.two-factor-and-devices",{"title":381,"path":382,"stem":383,"icon":384},"Audit & Monitoring","\u002Fsecurity\u002Faudit-and-monitoring","9.security\u002F4.audit-and-monitoring","i-lucide-scroll-text",{"title":386,"path":387,"stem":388,"icon":389},"Account Deletion & Privacy","\u002Fsecurity\u002Faccount-deletion-and-privacy","9.security\u002F5.account-deletion-and-privacy","i-lucide-user-x",{"title":391,"path":392,"stem":393,"icon":394},"Roles & Permissions","\u002Fsecurity\u002Froles-and-permissions","9.security\u002F6.roles-and-permissions","i-lucide-key-round",{"id":396,"title":372,"body":397,"description":1162,"extension":1163,"links":1164,"meta":1165,"navigation":1166,"path":373,"seo":1167,"stem":374,"__hash__":1168},"docs\u002F9.security\u002F2.authentication.md",{"type":398,"value":399,"toc":1145},"minimark",[400,404,424,429,432,456,521,526,537,547,551,588,600,604,662,690,694,709,720,778,788,791,802,805,812,874,877,881,892,896,911,922,939,954,968,988,992,1007,1017,1021,1138,1141],[401,402,372],"h1",{"id":403},"authentication",[405,406,407,408,416,417,423],"p",{},"This page covers how you sign in, how your session stays alive, and the rules around passwords and email verification. It applies to every user; admins should read the ",[409,410,411],"strong",{},[412,413,415],"a",{"href":414},"#force-password-change","Force password change"," and ",[409,418,419],{},[412,420,422],{"href":421},"#password-policy","Password policy"," sections.",[425,426,428],"h2",{"id":427},"logging-in","Logging in",[405,430,431],{},"Sign in with your email and password.",[433,434,439],"pre",{"className":435,"code":436,"language":437,"meta":438,"style":438},"language-http shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","POST \u002Fapi\u002Fauth\u002Flogin\n{ \"email\": \"you@example.com\", \"password\": \"••••••••\", \"rememberMe\": true }\n","http","",[440,441,442,450],"code",{"__ignoreMap":438},[443,444,447],"span",{"class":445,"line":446},"line",1,[443,448,449],{},"POST \u002Fapi\u002Fauth\u002Flogin\n",[443,451,453],{"class":445,"line":452},2,[443,454,455],{},"{ \"email\": \"you@example.com\", \"password\": \"••••••••\", \"rememberMe\": true }\n",[457,458,459,475],"table",{},[460,461,462],"thead",{},[463,464,465,469,472],"tr",{},[466,467,468],"th",{},"Field",[466,470,471],{},"Required",[466,473,474],{},"Notes",[476,477,478,492,504],"tbody",{},[463,479,480,486,489],{},[481,482,483],"td",{},[440,484,485],{},"email",[481,487,488],{},"Yes",[481,490,491],{},"Your work email.",[463,493,494,499,501],{},[481,495,496],{},[440,497,498],{},"password",[481,500,488],{},[481,502,503],{},"Your account password.",[463,505,506,511,514],{},[481,507,508],{},[440,509,510],{},"rememberMe",[481,512,513],{},"No",[481,515,516,517,520],{},"Defaults to ",[409,518,519],{},"true",". Controls how long the session lasts (see below).",[522,523,525],"h3",{"id":524},"account-enumeration-is-prevented-by-design","Account enumeration is prevented by design",[405,527,528,529,532,533,536],{},"A wrong password and a non-existent or deactivated account both return the ",[409,530,531],{},"same"," generic error: ",[440,534,535],{},"Invalid email or password",". We intentionally return identical responses regardless of which case applies, so a sign-in attempt never reveals whether an email address is in use.",[538,539,541],"callout",{"color":540,"icon":101},"amber",[405,542,543,546],{},[409,544,545],{},"Why?"," If \"wrong password\" and \"no such user\" looked different, an attacker could harvest a list of valid emails. Identical responses close that hole — so a 401 here never tells you which half failed.",[522,548,550],{"id":549},"what-happens-on-a-successful-login","What happens on a successful login",[552,553,554,570,585],"ol",{},[555,556,557,558,561,562,565,566,569],"li",{},"A ",[409,559,560],{},"seat-limit check"," runs. If the organization is over its plan's user cap, login is blocked with ",[409,563,564],{},"403"," — except for ",[409,567,568],{},"Executive"," accounts, which are exempt so an owner can always get in to fix billing.",[555,571,572,573,576,577,580,581,584],{},"You receive an ",[409,574,575],{},"access token"," and a ",[409,578,579],{},"refresh token"," (on web, the refresh token is also set as an ",[409,582,583],{},"HttpOnly cookie",").",[555,586,587],{},"The submitted password is checked against known breached-password lists in the background. If it appears in a known breach, you get a security alert (sent occasionally, not on every login).",[405,589,590,591,595,596,599],{},"Every login attempt, success or failure, is recorded (see ",[409,592,593],{},[412,594,381],{"href":382},"). Repeated failures feed a ",[409,597,598],{},"failed-login-burst tripwire",".",[425,601,603],{"id":602},"jwt-tokens-rotation","JWT tokens & rotation",[457,605,606,619],{},[460,607,608],{},[463,609,610,613,616],{},[466,611,612],{},"Token",[466,614,615],{},"Lifetime",[466,617,618],{},"Stored where",[476,620,621,637,650],{},[463,622,623,628,631],{},[481,624,625],{},[409,626,627],{},"Access token",[481,629,630],{},"Short-lived",[481,632,633,634,599],{},"Held by the client; sent as ",[440,635,636],{},"Authorization: Bearer",[463,638,639,644,647],{},[481,640,641],{},[409,642,643],{},"Refresh token (remember me)",[481,645,646],{},"Longer-lived",[481,648,649],{},"Database + HttpOnly cookie (web).",[463,651,652,657,660],{},[481,653,654],{},[409,655,656],{},"Refresh token (session only)",[481,658,659],{},"Shorter-lived",[481,661,649],{},[405,663,664,665,668,669,668,672,668,675,668,677,668,680,668,683,686,687,599],{},"The access token's payload includes: ",[440,666,667],{},"userId",", ",[440,670,671],{},"organizationId",[440,673,674],{},"role",[440,676,485],{},[440,678,679],{},"emailVerified",[440,681,682],{},"onboardingCompleted",[440,684,685],{},"forcePasswordChange",", and ",[440,688,689],{},"requiresTwoFactorSetup",[522,691,693],{"id":692},"refresh-rotates-everything","Refresh rotates everything",[433,695,697],{"className":435,"code":696,"language":437,"meta":438,"style":438},"POST \u002Fapi\u002Fauth\u002Frefresh\n{ \"refreshToken\": \"...\" }\n",[440,698,699,704],{"__ignoreMap":438},[443,700,701],{"class":445,"line":446},[443,702,703],{},"POST \u002Fapi\u002Fauth\u002Frefresh\n",[443,705,706],{"class":445,"line":452},[443,707,708],{},"{ \"refreshToken\": \"...\" }\n",[405,710,711,712,715,716,719],{},"On ",[409,713,714],{},"every"," refresh, both tokens are ",[409,717,718],{},"rotated atomically"," — the old pair is deleted and a fresh pair issued in one transaction.",[457,721,722,735],{},[460,723,724],{},[463,725,726,729,732],{},[466,727,728],{},"Situation",[466,730,731],{},"Response",[466,733,734],{},"Meaning",[476,736,737,748,761],{},[463,738,739,742,745],{},[481,740,741],{},"Normal refresh",[481,743,744],{},"New access + refresh token",[481,746,747],{},"Old pair is now invalid.",[463,749,750,753,758],{},[481,751,752],{},"Reusing an already-rotated refresh token",[481,754,755],{},[440,756,757],{},"Token already rotated - use the new token",[481,759,760],{},"Treated as token theft — use the latest token your client received.",[463,762,763,766,775],{},[481,764,765],{},"Two refreshes racing",[481,767,768,771,772],{},[409,769,770],{},"409"," ",[440,773,774],{},"Token refresh in progress - please retry",[481,776,777],{},"Another refresh is mid-flight; retry shortly.",[538,779,782],{"color":780,"icon":781},"blue","i-lucide-info",[405,783,784,787],{},[409,785,786],{},"Why rotation?"," If a refresh token leaks, it's only valid until the real client next refreshes — at which point the leaked copy becomes a \"reused\" token and is rejected as theft.",[425,789,415],{"id":790},"force-password-change",[405,792,793,794,797,798,801],{},"Users created by an administrator are created with ",[440,795,796],{},"forcePasswordChange = true",". Until they set their own password, they are ",[409,799,800],{},"blocked (403)"," on everything except auth, profile, settings, and security pages, and are redirected to set a password. Setting the new password clears the flag and issues fresh tokens.",[425,803,422],{"id":804},"password-policy",[405,806,807,808,811],{},"The policy is ",[409,809,810],{},"org-configurable",". The defaults are:",[457,813,814,824],{},[460,815,816],{},[463,817,818,821],{},[466,819,820],{},"Rule",[466,822,823],{},"Default",[476,825,826,834,841,848,855,866],{},[463,827,828,831],{},[481,829,830],{},"Minimum length",[481,832,833],{},"8 characters (clamped to the 8–32 range)",[463,835,836,839],{},[481,837,838],{},"Uppercase letter",[481,840,471],{},[463,842,843,846],{},[481,844,845],{},"Lowercase letter",[481,847,471],{},[463,849,850,853],{},[481,851,852],{},"Number",[481,854,471],{},[463,856,857,860],{},[481,858,859],{},"Special character",[481,861,862,865],{},[409,863,864],{},"Not"," required",[463,867,868,871],{},[481,869,870],{},"Breached-password check",[481,872,873],{},"New passwords found in known breached-password lists are rejected",[405,875,876],{},"New passwords are checked against known breached-password lists; the password itself never leaves our systems.",[522,878,880],{"id":879},"changing-your-password-logs-you-out-everywhere","Changing your password logs you out everywhere",[405,882,883,884,887,888,891],{},"When you change your password, ",[409,885,886],{},"all"," of your refresh tokens are deleted (signing you out on every device), then a fresh pair is issued for your current session. The new password must be ",[409,889,890],{},"different"," from your current one.",[425,893,895],{"id":894},"forgot-reset-password","Forgot & reset password",[433,897,899],{"className":435,"code":898,"language":437,"meta":438,"style":438},"POST \u002Fapi\u002Fauth\u002Fforgot-password\n{ \"email\": \"you@example.com\" }\n",[440,900,901,906],{"__ignoreMap":438},[443,902,903],{"class":445,"line":446},[443,904,905],{},"POST \u002Fapi\u002Fauth\u002Fforgot-password\n",[443,907,908],{"class":445,"line":452},[443,909,910],{},"{ \"email\": \"you@example.com\" }\n",[405,912,913,914,917,918,921],{},"This ",[409,915,916],{},"always"," returns the same generic message — it never reveals whether the email exists. Behind the scenes it issues ",[409,919,920],{},"two"," credentials, both hashed in the database and valid for a limited time:",[923,924,925,932],"ul",{},[555,926,927,928,931],{},"a ",[409,929,930],{},"6-digit code"," (handy for mobile entry), and",[555,933,934,935,938],{},"a long ",[409,936,937],{},"URL token"," (embedded in the email link).",[433,940,942],{"className":435,"code":941,"language":437,"meta":438,"style":438},"POST \u002Fapi\u002Fauth\u002Freset-password\n{ \"token\": \"\u003Clong token>\", \"password\": \"NewPass1\", \"email\": \"you@example.com\" }\n",[440,943,944,949],{"__ignoreMap":438},[443,945,946],{"class":445,"line":446},[443,947,948],{},"POST \u002Fapi\u002Fauth\u002Freset-password\n",[443,950,951],{"class":445,"line":452},[443,952,953],{},"{ \"token\": \"\u003Clong token>\", \"password\": \"NewPass1\", \"email\": \"you@example.com\" }\n",[405,955,956,957,960,961,963,964,967],{},"You may supply ",[409,958,959],{},"either"," the 6-digit code (in which case ",[440,962,485],{}," is required) ",[409,965,966],{},"or"," the long token. On success:",[923,969,970,973,980,985],{},[555,971,972],{},"the password is updated,",[555,974,975,976,979],{},"your email is marked ",[409,977,978],{},"verified"," (the reset link doubles as proof you control the inbox — useful for first-time setup),",[555,981,982,984],{},[409,983,886],{}," refresh tokens are deleted, and",[555,986,987],{},"a confirmation email is sent.",[425,989,991],{"id":990},"email-verification","Email verification",[433,993,995],{"className":435,"code":994,"language":437,"meta":438,"style":438},"POST \u002Fapi\u002Fauth\u002Fverify-email\n{ \"token\": \"...\" }\n",[440,996,997,1002],{"__ignoreMap":438},[443,998,999],{"class":445,"line":446},[443,1000,1001],{},"POST \u002Fapi\u002Fauth\u002Fverify-email\n",[443,1003,1004],{"class":445,"line":452},[443,1005,1006],{},"{ \"token\": \"...\" }\n",[405,1008,1009,1010,1013,1014,1016],{},"Verification is ",[409,1011,1012],{},"idempotent"," — clicking the link twice is harmless. Until you verify, you're ",[409,1015,800],{}," on most endpoints and sent to the verification screen. A new verification email can be requested again after a short wait.",[425,1018,1020],{"id":1019},"troubleshooting","Troubleshooting",[457,1022,1023,1036],{},[460,1024,1025],{},[463,1026,1027,1030,1033],{},[466,1028,1029],{},"Error",[466,1031,1032],{},"Cause",[466,1034,1035],{},"Fix",[476,1037,1038,1054,1067,1080,1095,1108,1121],{},[463,1039,1040,1045,1051],{},[481,1041,1042],{},[440,1043,1044],{},"401 Invalid email or password",[481,1046,1047,1048,1050],{},"Wrong credentials ",[409,1049,966],{}," a deactivated account (deliberately indistinguishable).",[481,1052,1053],{},"Re-check your password; if it's correct, contact your administrator — the account may be deactivated.",[463,1055,1056,1061,1064],{},[481,1057,1058],{},[440,1059,1060],{},"403 Email verification required",[481,1062,1063],{},"Your email isn't verified yet.",[481,1065,1066],{},"Click the link in your verification email; resend after a short wait if needed.",[463,1068,1069,1074,1077],{},[481,1070,1071],{},[440,1072,1073],{},"403 Password change required",[481,1075,1076],{},"You were created with a forced password change.",[481,1078,1079],{},"Set a new password when prompted.",[463,1081,1082,1087,1090],{},[481,1083,1084,1086],{},[440,1085,564],{}," over the seat limit (non-executive)",[481,1088,1089],{},"The org has more users than its plan allows.",[481,1091,1092,1093,599],{},"An admin\u002Fexecutive must reduce users or upgrade the plan. See ",[412,1094,29],{"href":30},[463,1096,1097,1102,1105],{},[481,1098,1099],{},[440,1100,1101],{},"Token already rotated",[481,1103,1104],{},"An old refresh token was reused.",[481,1106,1107],{},"Use the most recent token your client received; sign in again if unsure.",[463,1109,1110,1115,1118],{},[481,1111,1112],{},[440,1113,1114],{},"409 Token refresh in progress",[481,1116,1117],{},"Two refreshes ran at once.",[481,1119,1120],{},"Retry the request.",[463,1122,1123,1132,1135],{},[481,1124,1125,1128,1129],{},[440,1126,1127],{},"429"," with ",[440,1130,1131],{},"retryAfter",[481,1133,1134],{},"Rate limit hit (e.g. too many logins).",[481,1136,1137],{},"Wait the indicated time, then retry.",[405,1139,1140],{},"The forgot\u002Freset credentials are valid for a limited time — request a fresh one if it has expired.",[1142,1143,1144],"style",{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":438,"searchDepth":446,"depth":452,"links":1146},[1147,1152,1155,1156,1159,1160,1161],{"id":427,"depth":452,"text":428,"children":1148},[1149,1151],{"id":524,"depth":1150,"text":525},3,{"id":549,"depth":1150,"text":550},{"id":602,"depth":452,"text":603,"children":1153},[1154],{"id":692,"depth":1150,"text":693},{"id":790,"depth":452,"text":415},{"id":804,"depth":452,"text":422,"children":1157},[1158],{"id":879,"depth":1150,"text":880},{"id":894,"depth":452,"text":895},{"id":990,"depth":452,"text":991},{"id":1019,"depth":452,"text":1020},"How sign-in works in BookYourPTO — login, JWT access and refresh tokens with rotation, force-password-change, the password policy, forgot\u002Freset, and email verification.","md",null,{},{"icon":375},{"title":372,"description":1162},"x4C1fg035E54xkMaP8UGvln6fPdAkF_LG3GZCTp0PMo",[1170,1172],{"title":367,"path":368,"stem":369,"description":1171,"icon":370,"children":-1},"How BookYourPTO protects your account and your organization's data — authentication, encryption, rate limiting, security headers, audit logging, and account guards.",{"title":377,"path":378,"stem":379,"description":1173,"icon":21,"children":-1},"Set up TOTP two-factor authentication, save backup codes, verify at login, and manage trusted devices in BookYourPTO.",1781157134735]