Documentation

Get started in 15 minutes

Integrate password reset, 2FA, and magic links without building complex auth infrastructure. This guide walks through the complete integration.

Sign up and get your API key

Create a free account and generate your first API key. No credit card required for the 14-day trial.

Add the widget to your page

Drop a single script tag on your forgot password page. Works with any framework or plain HTML.

Implement two webhooks

One to verify users exist, one to confirm password updates. ResetKit handles everything else.

Installation

Option 1: NPM Package (Recommended)

Install via npm for TypeScript support and bundler integration:

npm install @resetkit/widget

Then initialize in your code:

import ResetKit from '@resetkit/widget'

ResetKit.init({
  apiKey: 'rk_live_...',
  container: '#reset-form'
});

Option 2: Script Tag

For vanilla HTML or when you don't want to use a bundler:

<!-- Add to your <head> -->
<script src="https://cdn.resetkit.dev/widget.js"></script>

<!-- Initialize in your page -->
<script>
  ResetKit.init({
    apiKey: 'rk_live_...',
    container: '#reset-form'
  });
</script>

Webhook Setup

ResetKit needs two webhooks to communicate with your backend. Both are simple POST endpoints that return JSON.

POST

/webhook/verify-user

Called when a user requests a password reset. Return whether the email exists in your database.

Request body:

{
  "email": "user@example.com"
}

Expected response:

{
  "exists": true
}

Example implementation:

app.post('/webhook/verify-user', async (req, res) => {
  const user = await db.users.findOne({
    email: req.body.email
  });
  res.json({ exists: !!user });
});

POST

/webhook/reset-complete

Called after user successfully verifies their identity. Update their password in your database.

Request body:

{
  "email": "user@example.com",
  "password": "newSecurePassword123",
  "sessionId": "abc123..."
}

Expected response:

{
  "success": true
}

Example implementation:

app.post('/webhook/reset-complete', async (req, res) => {
  const { email, password } = req.body;
  const hashed = await bcrypt.hash(password, 12);
  await db.users.updateOne(
    { email },
    { $set: { password: hashed } }
  );
  res.json({ success: true });
});

Security note: Webhook requests include an HMAC signature in the X-ResetKit-Signature header. Verify this signature to ensure requests are genuinely from ResetKit. See the security docs for implementation details.

Configuration Options

Option	Type	Description
apiKey	string	Your ResetKit API key (required)
container	string	CSS selector for widget mount point (required)
brandColor	string	Primary color for buttons and links (optional)
returnUrl	string	Where to redirect after successful reset (optional)
onSuccess	function	Callback fired on successful reset (optional)
onError	function	Callback fired on error (optional)

Next Steps

Create your first connection

Set up your API key, configure webhooks, and customize branding.

Review security architecture

Learn how ResetKit protects your users with bcrypt, rate limiting, and more.

Need help?

Our support team responds within 24 hours.

Email support