arazzo: 1.0.1
info:
  title: Stytch Password Reset by Email
  summary: Start an email password reset, complete it with the token, and read the new session.
  description: >-
    A self-service password recovery flow for consumer apps. The workflow starts
    a password reset by emailing the user a reset link, completes the reset using
    the token from that link together with the new password, and then reads the
    resulting session back to confirm the user is signed in. Every step spells
    out its request inline so the flow can be read and executed without opening
    the underlying OpenAPI description. All calls authenticate with HTTP Basic
    auth using your Stytch project_id as the username and secret as the password.
  version: 1.0.0
sourceDescriptions:
- name: stytchConsumerApi
  url: ../openapi/stytch-consumer-openapi.yml
  type: openapi
workflows:
- workflowId: password-reset-email
  summary: Email a reset link, set the new password with the token, and verify the session.
  description: >-
    Sends a password reset email, completes the reset by exchanging the emailed
    token and the new password for a session, then reads the active sessions for
    the user.
  inputs:
    type: object
    required:
    - email
    - token
    - password
    properties:
      email:
        type: string
        description: The email address of the account to reset the password for.
      reset_password_redirect_url:
        type: string
        description: The URL the user is redirected to after clicking the reset link.
      token:
        type: string
        description: The password reset token extracted from the emailed reset link.
      password:
        type: string
        description: The new plaintext password to set on the account.
      session_duration_minutes:
        type: integer
        description: Optional session lifetime in minutes for the authenticated session.
  steps:
  - stepId: startReset
    description: >-
      Start a password reset by emailing the user a reset link, returning the
      user_id and email_id targeted by the reset.
    operationId: api_password_v1_passwords_email_ResetStart
    requestBody:
      contentType: application/json
      payload:
        email: $inputs.email
        reset_password_redirect_url: $inputs.reset_password_redirect_url
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
      emailId: $response.body#/email_id
  - stepId: completeReset
    description: >-
      Complete the password reset by submitting the emailed token and the new
      password, minting a fresh session in the process.
    operationId: api_password_v1_passwords_email_Reset
    requestBody:
      contentType: application/json
      payload:
        token: $inputs.token
        password: $inputs.password
        session_duration_minutes: $inputs.session_duration_minutes
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
      sessionToken: $response.body#/session_token
      sessionJwt: $response.body#/session_jwt
  - stepId: getSession
    description: >-
      Read the active sessions for the user to confirm the reset signed them in.
    operationId: api_session_v1_Get
    parameters:
    - name: user_id
      in: query
      value: $steps.completeReset.outputs.userId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      sessions: $response.body#/sessions
  outputs:
    userId: $steps.completeReset.outputs.userId
    sessionToken: $steps.completeReset.outputs.sessionToken
    sessionJwt: $steps.completeReset.outputs.sessionJwt