Consume a setup token and set a password.
const url = 'https://example.com/auth/set-password';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"password":"example","setupToken":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/auth/set-password \ --header 'Content-Type: application/json' \ --data '{ "password": "example", "setupToken": "example" }'Authorizations
Section titled “Authorizations”- None
Request Bodyrequired
Section titled “Request Bodyrequired”JSON body for POST /auth/set-password.
JSON body for POST /auth/set-password.
object
The new password to set.
The one-time setup token (returned from principal creation or reset).
Examplegenerated
{ "password": "example", "setupToken": "example"}Responses
Section titled “Responses”Successful login response containing a JWT.
Successful login response containing a JWT.
object
Token lifetime in seconds.
Signed JWT (ES256).
Examplegenerated
{ "expiresIn": 1, "token": "example"}Failed to parse the request body as JSON
Expected request with Content-Type: application/json
Failed to deserialize the JSON body into the target type
default
Section titled “default”Structured error envelope (SPEC-DATA-0006): {"errors": [{"scope", "target", "code", "message"}, ...]}.
The top-level response body. Wraps a non-empty list of [ErrorEntry].
object
The error entries making up the envelope. Always non-empty.
One entry in the error envelope.
Carries an anchoring [ErrorScope], an optional target that
disambiguates within the scope, a stable SCREAMING_SNAKE_CASE code, and
a human-readable English message. See SPEC-DATA-0006 for the full
envelope contract.
object
Machine-readable, stable, SCREAMING_SNAKE_CASE identifier.
HFX source location for a [DataError::HfxCompileError] entry.
Emitted as the extra location field on the entry JSON when present,
per SPEC-UI-0043. The line/column are 1-based. The frame is the
offending source line extracted verbatim from the input.
object
1-based column within the line, measured in UTF-16 code units of the prefix so browser-side editors can consume it directly.
The offending source line text, when available.
1-based line number within the source text.
Server-authored English message. Not part of the API contract; may change across releases without notice.
The key of the ValidationRule that
failed, when the code is RULE_FAILED. None for all other codes.
Skipped during serialization when absent so it does not appear on
unrelated entries (same pattern as location).
Documented here as a plain string (#[schemars(with = "...")])
rather than a $ref to ValidationRuleKey’s own schema: that type
lives in metadata-types, which does not derive JsonSchema yet
(tracked by #812). ValidationRuleKey serializes transparently as
its inner string (serde’s default newtype-struct behavior), so this
is an accurate wire-shape description, not a placeholder.
Field key for field scope, record id for record scope, null
otherwise. Always serialized, even when null.
Example
{ "errors": [ { "scope": "field" } ]}