Account Recovery & Keys
Reset or change your password, manage Guard SDK secret keys, and recover access when you're locked out of SSO.
Account Recovery & Keys
Password reset & change
- Forgot password.
POST /auth/api/v1/password/forgotwith your account email. Safeguard emails a reset link; the token is valid for 24 hours. In the app, this is the "Forgot password?" link on the login screen. - Reset with token.
POST /auth/api/v1/password/resetwith the token from the email plus your new password. Password rules: minimum 8 characters, with at least one uppercase letter, one lowercase letter, one number, and one special character. - Change password (while signed in).
POST /auth/api/v1/password/changewith your current and new password. The same complexity rules apply.
Secret keys (Guard SDK)
Secret keys are self-service credentials the Guard SDK uses to pull live policy. They live under the base path /auth/api/v1/secret-keys.
- Create.
POST /auth/api/v1/secret-keyswith apurpose. The plaintext key is returned only once, in the create response — Safeguard stores only a hash, so copy it immediately. If you lose it, revoke the key and create a new one. - List your keys.
GET /auth/api/v1/secret-keys. - Revoke.
POST /auth/api/v1/secret-keys/{id}/revokedisables the key so it stops working; you can create a replacement at any time. - Delete.
DELETE /auth/api/v1/secret-keys/{id}removes it permanently.
These self-service secret keys are distinct from the user API keys and organization tokens covered in RBAC, Teams & Organizations — see that page for those credential types rather than duplicating them here.
Locked out of SSO / SSO provider down
- You only have SSO and can't get in (the SSO provider is down, misconfigured, or an admin disabled SSO): use the "Request access" option on the login screen. This calls
POST /auth/api/v1/sso/request-accessand emails every Tenant Admin in your tenant that you've requested access, with a link for them to invite or link your account. So the first people who can help are your own tenant's Admins/Owners — they can re-enable SSO, invite you, or link your account. - If password login is still enabled for your tenant, use the password reset flow above as a fallback to get in without SSO.
- If SSO is your only method and no admin is reachable (for example, the sole admin is themselves locked out): this needs Safeguard support — contact Safeguard support to arrange recovery.
For the admin-side emergency-access mechanism, see the Break-Glass section of RBAC, Teams & Organizations. For SSO setup, see SSO Authentication.