POST /api/v1/users/{userId}/credentials/change_password

Updates a User's password by validating the User's current Password.

This operation provides an option to delete all the sessions of the specified User. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared.

You can only perform this operation on Users in STAGED, ACTIVE, PASSWORD_EXPIRED, or RECOVERY status that have a valid Password credential.

The User transitions to ACTIVE status when successfully invoked in RECOVERY status.

Servers

https://{yourOktaDomain}

Path parameters

Name	Type	Required	Description
`userId`	String	Yes	ID of an existing Okta user

Request headers

Name	Type	Required	Description
`Content-Type`	String	Yes	The media type of the request body. Default value: "application/json"

Query parameters

Name Type Required Description

Name	Type	Required	Description
`strict`	Boolean	No	If true, validates against password minimum age policy Default value: false

strict

Boolean

If true, validates against password minimum age policy

Default value: false

Request body fields

Name	Type	Required	Description
`newPassword`	Object	No	Specifies a password for a user. When a User has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password). For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.
`newPassword.hash`	Object	No	Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a User with a hashed password, the User must be in the `STAGED` status.
`newPassword.hash.digestAlgorithm`	String	No	Algorithm used to generate the key. Only required for the PBKDF2 algorithm. Possible values: `"SHA512_HMAC"` `"SHA256_HMAC"`
`newPassword.hash.keySize`	Integer	No	Size of the derived key in bytes. Only required for PBKDF2 algorithm.
`newPassword.hash.algorithm`	String	No	The algorithm used to generate the hash using the password (and salt, when applicable). Possible values: `"BCRYPT"` `"PBKDF2"` `"MD5"` `"SHA-256"` `"SHA-512"` `"SHA-1"`
`newPassword.hash.iterationCount`	Integer	No	The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm.
`newPassword.hash.value`	String	No	For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password.
`newPassword.hash.saltOrder`	String	No	Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms.
`newPassword.hash.workFactor`	Integer	No	Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm.
`newPassword.hash.salt`	String	No	Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to generate the hash.
`newPassword.hook`	Object	No	Specify a password import inline hook to trigger verification of the User's password the first time the User signs in. This allows an existing password to be imported into Okta directly from some other store.
`newPassword.hook.type`	String	No	The type of password inline hook. Currently, must be set to default.
`newPassword.value`	String	No	Specifies the password for a user. The Password Policy validates this password.
`oldPassword`	Object	No	Specifies a password for a user. When a User has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password). For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.
`oldPassword.hash`	Object	No	Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a User with a hashed password, the User must be in the `STAGED` status.
`oldPassword.hash.digestAlgorithm`	String	No	Algorithm used to generate the key. Only required for the PBKDF2 algorithm. Possible values: `"SHA512_HMAC"` `"SHA256_HMAC"`
`oldPassword.hash.keySize`	Integer	No	Size of the derived key in bytes. Only required for PBKDF2 algorithm.
`oldPassword.hash.algorithm`	String	No	The algorithm used to generate the hash using the password (and salt, when applicable). Possible values: `"BCRYPT"` `"PBKDF2"` `"MD5"` `"SHA-256"` `"SHA-512"` `"SHA-1"`
`oldPassword.hash.iterationCount`	Integer	No	The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm.
`oldPassword.hash.value`	String	No	For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password.
`oldPassword.hash.saltOrder`	String	No	Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms.
`oldPassword.hash.workFactor`	Integer	No	Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm.
`oldPassword.hash.salt`	String	No	Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to generate the hash.
`oldPassword.hook`	Object	No	Specify a password import inline hook to trigger verification of the User's password the first time the User signs in. This allows an existing password to be imported into Okta directly from some other store.
`oldPassword.hook.type`	String	No	The type of password inline hook. Currently, must be set to default.
`oldPassword.value`	String	No	Specifies the password for a user. The Password Policy validates this password.
`revokeSessions`	Boolean	No	When set to `true`, revokes all User sessions, except for the current session Default value: false

How to start integrating

Add HTTP Task to your workflow definition.
Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
Click Test request to test run your request to the API and see the API's response.