Password Reset · 2FA · Magic Links

Stop rebuilding
auth flows
on every project.

Password reset, 2FA, and magic links — enterprise-grade security, 15-minute integration. Two webhooks. One script tag. Done.

Start free trial Read the docs

99.9% uptime

14-day free trial

No credit card required

// Drop in the widget
ResetKit.init({
  apiKey: 'rk_live_...',
  container: '#reset-form',
  returnUrl: 'https://yourapp.com/reset'
});

// Your backend — two endpoints
app.post('/webhook/verify-user', async (req, res) => {
  const user = await db.users.findOne({ email: req.body.email });
  res.json({ exists: !!user });
});█

integration.js

ready

How it works

Three steps. No surprises.

Drop in the widget

One script tag on your forgot password page. Works with React, Vue, Angular, or plain HTML. No build step required.

HTML

<script src="https://cdn.resetkit.dev/widget.js"></script>

Implement two webhooks

One to verify a user exists. One to confirm the password was updated. ResetKit handles everything in between — codes, delivery, verification, expiry.

Endpoints

POST /webhook/verify-user
POST /webhook/reset-complete

Ship the same day

Your users get a branded, secure reset flow. You get completion rates, delivery analytics, and security events — all in your dashboard.

Built in

bcrypt · rate limiting · enumeration protection

Most developers integrate in under 15 minutes.Quickstart guide walks you through every step.

View quickstart

Security

Built secure. Not bolted on after.

Every security measure is in place before your first API call. You inherit a hardened auth flow without writing a single line of security code.

Security coverageAll active

Code storagebcrypt / 10 rounds

Rate limiting3 layers

Token expiry15 min reset / 5 min 2FA

Webhook authHMAC-SHA256

Codes

bcrypt hashing

Verification codes are never stored in plaintext. Every code is bcrypt-hashed with 10 rounds before persistence.

Abuse prevention

Sliding window rate limiting

Distributed rate limits across email, IP, and connection — backed by Upstash Redis. Works across every serverless instance.

Privacy

Enumeration protection

Reset requests return identical responses regardless of whether an email exists. Attackers cannot probe your user base.

Brute force

5-attempt lockout

Sessions lock permanently after 5 failed code attempts. Brute-forcing a 6-digit code is computationally infeasible before lockout triggers.

Timing attacks

Timing-safe comparisons

All token and code comparisons use constant-time functions. Response times never leak information about validity.

Webhooks

HMAC webhook signing

Every webhook request is signed with HMAC-SHA256. Your backend can verify every payload is genuinely from ResetKit.

Read our full security architecture

Pricing

Straightforward pricing. No usage anxiety.

Pay per project, not per reset. 14-day free trial on every plan. No credit card required to start.

Starter

$29/month

For indie developers and small projects.

3 connections

Password reset flow
Email 2FA
TOTP (Google Authenticator)
Webhook integration + signing
Rate limiting — all layers
Enumeration protection
Brute force protection
Audit logs
ResetKit branding on widget

Start free trial

Common questions

What counts as a connection?One connection = one API key = one app integration. Each connection has its own key, webhook secret, and branding settings.

Can I switch plans?Yes, upgrade or downgrade anytime. Changes take effect immediately and are prorated to your billing cycle.

What happens when my trial ends?Your account pauses until you add a payment method. No data is deleted — pick up exactly where you left off.

Is there a usage cap on resets or emails?No. Plans are priced by connections, not volume. Send as many resets and 2FA codes as your users need.

Stop rebuildingauth flowson every project.