Actions Triggers: password-reset-post-challenge - API Object

The API object for the password-reset-post-challenge Actions trigger includes:

`api.access`

Modify the access of the user that is attempting to reset their password.

`api.access.deny(reason)`

Mark the current password reset attempt as denied. This will prevent the end-user from completing the password reset flow. This will NOT cancel other user-related side-effects requested by this Action. The password reset flow will immediately stop following the completion of this action and no further Actions will be executed.

reason

string

A human-readable explanation for rejecting the password reset. This may be presented directly in end-user interfaces.

`api.authentication`

Request changes to the authentication state of the current user’s session.

`api.authentication.challengeWith(factor, options)`

Request a challenge for multifactor authentication using the supplied factor and optional additional factors. When a multifactor challenge is requested, subsequent Actions will not be run until that challenge has been fulfilled by the user. A user will have satisfied the challenge in any of the following situations:

They successfully complete the challenge for the default factor.
They successfully complete the challenge for any of the optional factors described in additionalFactors.

If any of the factors requested has already been challenged successfully in the current transaction, it will be ignored. If a factor is requested is not enabled on the tenant, it will be ignored. If a factor is requested that the user has not enrolled, it will be ignored. If none of the requested factors is enabled or enrolled, the authentication transaction will fail (i.e. login will not complete).

This method will result in a factor challenge screen being shown if the user has not already satisfied the requirements of the challenge. If additionalFactors are supplied, the user will have the option to select another factor if they choose to.

factor

factorselector

An object describing the type of factor its options that should be used for the initial challenge.

Hide factor properties

type

string

A type of authentication factor such as push-notification, phone, email, otp, webauthn-roaming, webauthn-platform, and recovery-code.Allowed values: otp, email, webauthn-platform, webauthn-roaming, recovery-code

options

dictionary

optional

Additional options for configuring a factor of a given type.

options

challengewithoptions

optional

Additional options which can also specify additionalFactors as a property.

Hide options properties

additionalFactors

array of objects

optional

`api.authentication.challengeWithAny(factors)`

Request a challenge for multifactor authentication using any of the supplied factors (showing a factor selection screen first). When a multifactor challenge is requested, subsequent Actions will not be run until that challenge has been fulfilled by the user. A user will have satisfied the challenge in any of the following situations:

They successfully complete the challenge for any of the factors.

This method will result in the factor selector screen being shown if the user has not already satisfied the requirements of the challenge. If there is a preferred factor, the api.authentication.challengeWith() method is preferred. The factor selector screen will not be shown if only one factor is passed in or is valid.

factors

array of objects

An array of factors.

`api.redirect`

Configure and initiate external redirects.

`api.redirect.encodeToken(options)`

Create a session token suitable for using as a query string parameter redirect target (via sendUserTo) that contains data whose authenticity must be provable by the target endpoint. The target endpoint can verify the authenticity and integrity of the data by checking the JWT’s signature using a shared secret. The shared secret should be stored as a secret of the Action and will be readable at event.secrets['<secret_name>'].

options

tokencreationoptions

Configure how sensitive data is encoded into the query parameters of the resulting url.

Hide options properties

expiresInSeconds

number

optional

Number of seconds before this token will expire

payload

dictionary

The data intended to be passed to the target of the redirect and whose authenticity and integrity must be provable.

secret

string

A secret that will be used to sign a JWT that is shared with the redirect target. The secret value should be stored as a secret and retrieved using event.secrets['<secret_name>'].

`api.redirect.sendUserTo(url, options)`

Cause the password reset pipeline to trigger a browser redirect to the target url immediately after this action completes. The createUrl helper method is provided to simplify encoding data as a query parameter in the target url such that the data’s authenticity and integrity can be verified by the target endpoint.

url

string

options

sendusertooptions

optional

Hide options properties

query

dictionary

optional

An object representing additional query string parameters that should be appended to the redirect URL.

`api.redirect.validateToken(options)`

Retrieve the data encoded in a JWT token passed to the /continue endpoint while verifying the authenticity and integrity of that data.

options

validatesessiontokenoptions

Options for retrieving the data encoded in a JWT token passed to the /continue endpoint following a rediret.

Hide options properties

secret

string

tokenParameterName

string

optional

The name of the query or body parameter that was sent to the /continue endpoint.

`api.cache`

Make changes to the cache.

`api.cache.delete(key)`

Delete a record describing a cached value at the supplied key if it exists.

key

string

The key of the cache record to delete.

`api.cache.get(key)`

Retrieve a record describing a cached value at the supplied key, if it exists. If a record is found, the cached value can be found at the value property of the returned object.

key

string

The key of the record stored in the cache.

`api.cache.set(key, value, options)`

Store or update a string value in the cache at the specified key. Values stored in this cache are scoped to the Trigger in which they are set. They are subject to the Actions Cache Limits. Values stored in this way will have lifetimes of up to the specified ttl or expires_at values. If no lifetime is specified, a default of lifetime of 24 hours will be used. Lifetimes may not exceed the maximum duration listed at Actions Cache Limits. Important: This cache is designed for short-lived, ephemeral data. Items may not be available in later transactions even if they are within their supplied their lifetime.

key

string

The key of the record to be stored.

value

string

The value of the record to be stored.

options

cachesetoptions

optional

Options for adjusting cache behavior.

Hide options properties

expires_at

number

optional

The absolute expiry time in milliseconds since the unix epoch. While cached records may be evicted earlier, they will never remain beyond the the supplied expires_at.Note: This value should not be supplied if a value was also provided for ttl. If both options are supplied, the earlier expiry of the two will be used.

ttl

number

optional

The time-to-live value of this cache entry in milliseconds. While cached values may be evicted earlier, they will never remain beyond the the supplied ttl.Note: This value should not be supplied if a value was also provided for expires_at. If both options are supplied, the earlier expiry of the two will be used.

`api.prompt`

Renders a custom prompt.

`api.prompt.render(promptId, promptOptions)`

Renders a custom prompt.

promptId

string

The prompt ID.

promptOptions

promptoptions

optional

The render options.

Hide promptOptions properties

fields

dictionary

optional

Key-value pairs to populate field values (client-side).

vars

dictionary

optional

Key-value pairs to inject variables (server-side).

`api.transaction`

Configure the transaction.

`api.transaction.setResultUrl(url, options)`

Set the URL that the user should be redirected to after the password reset.

url

string

The URL to redirect the user to.

options

resulturloptions

optional

Hide options properties

query

dictionary

optional

The query parameters to include in the URL.

Brand Customization

Code Customization

Third-Party Customization

Actions Triggers: password-reset-post-challenge - API Object

`api.access`

`api.access.deny(reason)`

`api.authentication`

`api.authentication.challengeWith(factor, options)`

`api.authentication.challengeWithAny(factors)`

`api.redirect`

`api.redirect.encodeToken(options)`

`api.redirect.sendUserTo(url, options)`

`api.redirect.validateToken(options)`

`api.cache`

`api.cache.delete(key)`

`api.cache.get(key)`

`api.cache.set(key, value, options)`

`api.prompt`

`api.prompt.render(promptId, promptOptions)`

`api.transaction`

`api.transaction.setResultUrl(url, options)`

Brand Customization

Code Customization

Third-Party Customization

​api.access

​api.access.deny(reason)

​api.authentication

​api.authentication.challengeWith(factor, options)

​api.authentication.challengeWithAny(factors)

​api.redirect

​api.redirect.encodeToken(options)

​api.redirect.sendUserTo(url, options)

​api.redirect.validateToken(options)

​api.cache

​api.cache.delete(key)

​api.cache.get(key)

​api.cache.set(key, value, options)

​api.prompt

​api.prompt.render(promptId, promptOptions)

​api.transaction

​api.transaction.setResultUrl(url, options)

`api.access`

`api.access.deny(reason)`

`api.authentication`

`api.authentication.challengeWith(factor, options)`

`api.authentication.challengeWithAny(factors)`

`api.redirect`

`api.redirect.encodeToken(options)`

`api.redirect.sendUserTo(url, options)`

`api.redirect.validateToken(options)`

`api.cache`

`api.cache.delete(key)`

`api.cache.get(key)`

`api.cache.set(key, value, options)`

`api.prompt`

`api.prompt.render(promptId, promptOptions)`

`api.transaction`

`api.transaction.setResultUrl(url, options)`