---
title: Password Resend Recovery Code
description: The POST {{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password endpoint is called to recover a forgotten password. It sends a one-time-password (OTP) that is used to reset the password. The OTP is a randomly generated (not configurable) eight-character alphanumeric string (case-insensitive) sent to the user's email address, and the code is valid for five minutes. This operation uses the application/vnd.pingidentity.password.sendRecoveryCode+json custom media type as the content type in the request header.
component: pingone-api
page_id: pingone-api:platform:users/user-passwords/password-resend-recovery-code
canonical_url: https://developer.pingidentity.com/pingone-api/platform/users/user-passwords/password-resend-recovery-code.html
section_ids:
  prerequisites: Prerequisites
  headers: Headers
  example-request: Example Request
---

# Password Resend Recovery Code

##

```none
POST {{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password
```

The `POST {{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password` endpoint is called to recover a forgotten password. It sends a one-time-password (OTP) that is used to reset the password. The OTP is a randomly generated (not configurable) eight-character alphanumeric string (case-insensitive) sent to the user's email address, and the code is valid for five minutes. This operation uses the `application/vnd.pingidentity.password.sendRecoveryCode+json` custom media type as the content type in the request header.

|   |                                                                                                                            |
| - | -------------------------------------------------------------------------------------------------------------------------- |
|   | This operation cannot be used if the user is disabled or if the password status is `NO_PASSWORD` or `PASSWORD_LOCKED_OUT`. |

The sample shows the `POST {{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password` operation to recover a password for the user identified by the environment ID and user ID.

If the user exceeds the maximum number of invalid attempts to recover the password while using the recovery OTP, the password status is changed to `PASSWORD_LOCKED_OUT`. The `POST {{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password` endpoint is also used to reset the locked-out password using a recovery code. This operation uses the `application/vnd.pingidentity.password.recover+json` custom media type as the content type in the request header, and it requires the `recoveryCode` and the `newPassword` attributes in the request body.

|   |                                                                                                                                                                                                                                                                                                                |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The recover password operation can be used only if the `account.canAuthenticate` user property is set to `true` or the password `status` is `PASSWORD_LOCKED_OUT` and the user is enabled and has a password. If an MFA action locks the account, then the password recovery action cannot unlock the account. |

### Prerequisites

* Refer to [Users](../../users.html) and [User Passwords](../user-passwords.html) for important overview information.

* Create a user to get a `userID`. Refer to [Create User](../users-1/create-user.html). Run [Read User or Users](../users-1/read-all-users.html) to find an existing user.

### Headers

Authorization      Bearer {{accessToken}}

Content-Type      application/vnd.pingidentity.password.sendRecoveryCode+json

##

### Example Request

* cURL

* C#

* Go

* HTTP

* Java

* jQuery

* NodeJS

* Python

* PHP

* Ruby

* Swift

```shell
curl --location --globoff --request POST '{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password' \
--header 'Content-Type: application/vnd.pingidentity.password.sendRecoveryCode+json' \
--header 'Authorization: Bearer {{accessToken}}'
```

```csharp
var options = new RestClientOptions("{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Post);
request.AddHeader("Content-Type", "application/vnd.pingidentity.password.sendRecoveryCode+json");
request.AddHeader("Authorization", "Bearer {{accessToken}}");
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
```

```golang
package main

import (
  "fmt"
  "net/http"
  "io"
)

func main() {

  url := "{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password"
  method := "POST"

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, nil)

  if err != nil {
    fmt.Println(err)
    return
  }
  req.Header.Add("Content-Type", "application/vnd.pingidentity.password.sendRecoveryCode+json")
  req.Header.Add("Authorization", "Bearer {{accessToken}}")

  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
```

```http
POST /v1/environments/{{envID}}/users/{{userID}}/password HTTP/1.1
Host: {{apiPath}}
Content-Type: application/vnd.pingidentity.password.sendRecoveryCode+json
Authorization: Bearer {{accessToken}}
```

```java
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/vnd.pingidentity.password.sendRecoveryCode+json");
RequestBody body = RequestBody.create(mediaType, "");
Request request = new Request.Builder()
  .url("{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password")
  .method("POST", body)
  .addHeader("Content-Type", "application/vnd.pingidentity.password.sendRecoveryCode+json")
  .addHeader("Authorization", "Bearer {{accessToken}}")
  .build();
Response response = client.newCall(request).execute();
```

```javascript
var settings = {
  "url": "{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/vnd.pingidentity.password.sendRecoveryCode+json",
    "Authorization": "Bearer {{accessToken}}"
  },
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
```

```javascript
var request = require('request');
var options = {
  'method': 'POST',
  'url': '{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password',
  'headers': {
    'Content-Type': 'application/vnd.pingidentity.password.sendRecoveryCode+json',
    'Authorization': 'Bearer {{accessToken}}'
  }
};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
```

```python
import requests
import json

url = "{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password"

payload = {}
headers = {
  'Content-Type': 'application/vnd.pingidentity.password.sendRecoveryCode+json',
  'Authorization': 'Bearer {{accessToken}}'
}

response = requests.request("POST", url, headers=headers, data=payload)

print(response.text)
```

```php
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password');
$request->setMethod(HTTP_Request2::METHOD_POST);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(
  'Content-Type' => 'application/vnd.pingidentity.password.sendRecoveryCode+json',
  'Authorization' => 'Bearer {{accessToken}}'
));
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
```

```ruby
require "uri"
require "json"
require "net/http"

url = URI("{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Post.new(url)
request["Content-Type"] = "application/vnd.pingidentity.password.sendRecoveryCode+json"
request["Authorization"] = "Bearer {{accessToken}}"

response = http.request(request)
puts response.read_body
```

```swift
var request = URLRequest(url: URL(string: "{{apiPath}}/v1/environments/{{envID}}/users/{{userID}}/password")!,timeoutInterval: Double.infinity)
request.addValue("application/vnd.pingidentity.password.sendRecoveryCode+json", forHTTPHeaderField: "Content-Type")
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")

request.httpMethod = "POST"

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()
```