4 June 2025
CustomersMessages/SubscriptionsGraphQL
We've improved how email verification and password reset tokens are managed to support more secure login flows. The key changes are as follows:
- Password reset tokens are valid for 24 hours by default (down from 24 days).
- Older tokens for email verification or password reset can be invalidated when a new token is created.
- Older tokens for email verification or password reset are invalidated when a token is successfully redeemed.
- An error is returned when attempting to redeem an expired email verification or password reset token.
Additionally, if a token's validity is 60 minutes or less, the token is now included in the Message payload to help you build better asynchronous flows.
Changes:
- [API] Added
invalidateOlderTokens
field to CustomerToken, CustomerCreateEmailToken, and CustomerCreatePasswordResetToken in Customers API. - [API] Added
value
andinvalidateOlderTokens
fields to CustomerEmailTokenCreated and CustomerPasswordTokenCreated Messages. - [API] Added ExpiredCustomerEmailToken and ExpiredCustomerPasswordToken errors.
- [GraphQL API] Added
invalidateOlderTokens
field to theCustomerEmailToken
type. - [GraphQL API] Added
invalidateOlderTokens
field to theCustomerPasswordToken
type. - [GraphQL API] Added
value
andinvalidateOlderTokens
fields to theCustomerEmailTokenCreated
type. - [GraphQL API] Added
value
andinvalidateOlderTokens
fields to theCustomerPasswordTokenCreated
type. - [GraphQL API] Added
invalidateOlderTokens
argument to theMutation.customerCreateEmailVerificationToken
field. - [GraphQL API] Added
invalidateOlderTokens
argument to theMutation.customerCreatePasswordResetToken
field. - [GraphQL API] Changed the
Mutation.customerCreatePasswordResetToken
description.
The following changes were introduced in terms of GraphQL SDL:
extend type CustomerEmailToken {
invalidateOlderTokens: Boolean!
}
extend type CustomerPasswordToken {
invalidateOlderTokens: Boolean!
}
extend type CustomerEmailTokenCreated {
invalidateOlderTokens: Boolean!
value: String
}
extend type CustomerPasswordTokenCreated {
invalidateOlderTokens: Boolean!
value: String
}