Documentation
All Release Notes
Improved email verification and password reset flows
4 June 2025
Composable Commerce
HTTP API
Enhancement
CustomersMessages/SubscriptionsGraphQL

We've improved how email verification and password reset tokens are managed to support more secure login flows. The key changes are as follows:

  • Password reset tokens are valid for 24 hours by default (down from 24 days).
  • Older tokens for email verification or password reset can be invalidated when a new token is created.
  • Older tokens for email verification or password reset are invalidated when a token is successfully redeemed.
  • An error is returned when attempting to redeem an expired email verification or password reset token.

Additionally, if a token's validity is 60 minutes or less, the token is now included in the Message payload to help you build better asynchronous flows.

Changes:

  • [API] Added invalidateOlderTokens field to CustomerToken, CustomerCreateEmailToken, and CustomerCreatePasswordResetToken in Customers API.
  • [API] Added value and invalidateOlderTokens fields to CustomerEmailTokenCreated and CustomerPasswordTokenCreated Messages.
  • [API] Added ExpiredCustomerEmailToken and ExpiredCustomerPasswordToken errors.
  • [GraphQL API] Added invalidateOlderTokens field to the CustomerEmailToken type.
  • [GraphQL API] Added invalidateOlderTokens field to the CustomerPasswordToken type.
  • [GraphQL API] Added value and invalidateOlderTokens fields to the CustomerEmailTokenCreated type.
  • [GraphQL API] Added value and invalidateOlderTokens fields to the CustomerPasswordTokenCreated type.
  • [GraphQL API] Added invalidateOlderTokens argument to the Mutation.customerCreateEmailVerificationToken field.
  • [GraphQL API] Added invalidateOlderTokens argument to the Mutation.customerCreatePasswordResetToken field.
  • [GraphQL API] Changed the Mutation.customerCreatePasswordResetToken description.

The following changes were introduced in terms of GraphQL SDL:

extend type CustomerEmailToken {
  invalidateOlderTokens: Boolean!
}

extend type CustomerPasswordToken {
  invalidateOlderTokens: Boolean!
}

extend type CustomerEmailTokenCreated {
  invalidateOlderTokens: Boolean!
  value: String
}

extend type CustomerPasswordTokenCreated {
  invalidateOlderTokens: Boolean!
  value: String
}