Password reset, 2FA, and magic links — enterprise-grade security, 15-minute integration. Two webhooks. One script tag. Done.
// Drop in the widget
ResetKit.init({
apiKey: 'rk_live_...',
container: '#reset-form',
returnUrl: 'https://yourapp.com/reset'
});
// Your backend — two endpoints
app.post('/webhook/verify-user', async (req, res) => {
const user = await db.users.findOne({ email: req.body.email });
res.json({ exists: !!user });
});█One script tag on your forgot password page. Works with React, Vue, Angular, or plain HTML. No build step required.
<script src="https://cdn.resetkit.dev/widget.js"></script>
One to verify a user exists. One to confirm the password was updated. ResetKit handles everything in between — codes, delivery, verification, expiry.
POST /webhook/verify-user POST /webhook/reset-complete
Your users get a branded, secure reset flow. You get completion rates, delivery analytics, and security events — all in your dashboard.
bcrypt · rate limiting · enumeration protection
Every security measure is in place before your first API call. You inherit a hardened auth flow without writing a single line of security code.
Verification codes are never stored in plaintext. Every code is bcrypt-hashed with 10 rounds before persistence.
Distributed rate limits across email, IP, and connection — backed by Upstash Redis. Works across every serverless instance.
Reset requests return identical responses regardless of whether an email exists. Attackers cannot probe your user base.
Sessions lock permanently after 5 failed code attempts. Brute-forcing a 6-digit code is computationally infeasible before lockout triggers.
All token and code comparisons use constant-time functions. Response times never leak information about validity.
Every webhook request is signed with HMAC-SHA256. Your backend can verify every payload is genuinely from ResetKit.
Pay per project, not per reset. 14-day free trial on every plan. No credit card required to start.
For indie developers and small projects.
For growing teams shipping multiple products.
For agencies and studios managing client apps.