Password recovery with HMAC token

Forgot-password flow using HMAC-signed recovery tokens

Why HMAC, not random DB token

Stateless validation, no DB lookup per token validate; HMAC verifies cryptographically. See ADR 0017.

Single-use enforcement

Even though the HMAC is stateless, single-use IS stateful, Kratos records used tokens in the recovery flow's state. Replay attack returns "token already used."

Where to learn more

Identity, Flow recovery
Security, Breached password
ADR 0017, Recovery HMAC token

Email verification roundtrip

User confirms control of their email address

Social IdP linking

Linking a Google/GitHub/etc. account to an existing password identity

Password recovery with HMAC token

Why HMAC, not random DB token

Single-use enforcement

Where to learn more

On this page