Action guide
Trace every forgot-password flow end to end
POST
/v1/events · user.password.resetEmit a `user.password.reset` event when a user completes the forgot-password flow and a new password is set via an email token. Distinct from a normal password change.
When to emit
Inside the reset handler that validates the token and writes the new password hash.
Example payload
await recalled.events.create({
action: "user.password.reset",
actor: { id: user.id, email: user.email },
organization: user.organizationId,
metadata: {
ip: "203.0.113.42",
userAgent: "Mozilla/5.0",
tokenIssuedAt: "value"
},
});Metadata to include
Keep metadata flat and consistent across your service so it plays well with search and CSV exports.
| Key | Purpose |
|---|---|
ip | Source IP address of the request |
userAgent | User agent string of the client |
tokenIssuedAt | When the reset link was emailed |
Suggested retention
Keep for at least 90 days so a user can contest 'my password was reset by someone else'.