Password reset

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 3 min read

TL;DR

Password reset works in under 90 seconds via a one-time link. Reset link expires after 60 minutes. All active sessions across all 10 devices invalidate on password change. Account recovery available within 30 days of lockout. Works on every plan.

Reset flow

Five clicks if you have access to your email:

1. Visit askvault.co/login.
2. Click "Forgot password?"
3. Enter your email. We send a reset link if the account exists. (Same response if not, to avoid leaking which emails are registered.)
4. Open the email, click the reset link. Link expires in 60 minutes.
5. Enter a new password (12 characters minimum, with one digit and one symbol).

You're logged in immediately on the new password. All existing sessions on other devices invalidate.

Why other sessions invalidate

Security: a password reset usually follows a suspected compromise. Invalidating other sessions ensures any attacker is logged out the moment you reset.

What this means:

• Other browser tabs logged in to AskVault get bounced to login.
• Mobile apps signed in to AskVault require re-login.
• API keys (ak_xxx) stay valid. Keys aren't password-tied. Rotate manually if you suspect compromise (see API keys).

Reset link contents

The reset email looks like:

Subject: Reset your AskVault password

Hi {name},

Click the link below to reset your password. The link expires in 60 minutes.

[Reset password]

If you didn't request a reset, ignore this email. Your password stays unchanged.

The link points to askvault.co/reset?token=.... Tokens are single-use and tied to your account.

Rate limits on reset requests

To prevent abuse:

• Up to 5 reset emails per hour per account.
• Up to 10 reset emails per hour per IP address.
• Sustained abuse triggers a 24-hour cooldown.

Most users hit the limit by accident from clicking Resend too many times. Wait an hour and retry.

What if I don't have access to the email

Three recovery paths in order of speed:

1. Recovery email (if you set one). Account Settings > Security > Recovery Email lets you set a backup address. Reset links also send there. Set this in advance.
2. 2FA backup codes (if 2FA enabled). The backup codes generated during 2FA setup also recover your account when paired with proof of identity.
3. Support recovery. Email support@askvault.co from any address with proof of ownership: billing card last 4, workspace name, recent invoice number. Manual recovery within 24 hours.

Tip: set the recovery email at signup. Skipping it is the #1 cause of stuck-out-of-account support tickets.

Forced password reset (admin-initiated)

Account admins can force a password reset on a team member:

1. Team Management > [member] > Force Password Reset.
2. Member gets a mandatory reset email.
3. All their sessions invalidate immediately.

Common reason: an employee left the company and their device might still be logged in. Force-reset cuts access in seconds.

Reset for SSO and Google-OAuth accounts

If you log in only via Google OAuth or Enterprise SSO:

• No AskVault password exists. Reset flow doesn't apply.
• Recover access via Google or your IdP (the usual "forgot Google password" flow).

If you signed up with email and password and later linked Google, the password reset still works for the email-and-password method.

Setting a password after passwordless signup

If you signed up via Google and want to also enable email-and-password login:

1. Open Account Settings > Security > Set Password.
2. Enter and confirm a new password.
3. Save.

Both login methods now work. Reset flow becomes available.

Password requirements

Same as signup:

• 12 characters minimum.
• At least one digit and one symbol.
• Not in the leaked-password list (100,000 entries via HaveIBeenPwned k-anonymity).
• Doesn't equal your email or name.

We don't force rotation. Picking a strong password once is better than rotating weak ones every 90 days.

Audit trail

Every password reset is logged:

• Reset requested. Timestamp, IP, user agent.
• Reset completed. Timestamp, IP.
• Notification email. Sent to your verified email after a successful reset, alerting if it wasn't you.

Visible under Account Settings > Audit Log. Retained 365 days.

Common pitfalls

Reset email not arriving. Check spam, whitelist mailer@askvault.co, then retry. Up to 5 requests per hour allowed.

Link expired. 60-minute lifespan. Click Resend on the login page for a fresh link.

Already used the link. Tokens are single-use. If you clicked once, the password reset; log in with the new password.

"Account not found" silently. We don't reveal whether an email is registered. Try the same email at signup; if "already exists" error fires, then it's registered. Confirm spelling.

Old browser tab won't log out. Hard-refresh. The bounce-to-login happens on next API call; idle tabs may not realize for a few minutes.

FAQ

How long does the reset link last?

60 minutes. After that, request a new one.

Will resetting my password invalidate my API keys?

No. API keys (ak_xxx) are independent of your password. Rotate them under Dashboard > API Keys if you suspect they're compromised.

Can I reuse my old password?

Yes, technically. We don't block password reuse. Best practice is to pick a fresh one.

What if a team admin force-resets me?

You get an email with a reset link. Click, set a new password, log in. Your prior sessions are dead.

Can I reset over the phone or via SMS?

Not today. Reset is email-only. SMS-based reset is on the roadmap for Enterprise accounts.

Related guides

• Login and signup
• Email verification
• Google OAuth login
• Account deletion
• Security overview

Ready to ship this on your site?

Free tier: 100 queries/month, 5 MB content, widget channel. No credit card.

Try AskVault Free → See pricing

Was this page helpful? Yes No