Avnology ID
API ReferenceAuth Flows

Submit Recovery

Submit an email to receive a recovery code, then submit the code to reset your password.

Endpoint

POST /v1/flows/recovery/{flow_id}:submit

Base URL: https://api-id.avnology.net

Authentication: None required (CSRF token in body)

Recovery is a two-step process:

  1. Step 1: Submit your email address to receive a recovery code
  2. Step 2: Submit the code to verify your identity and gain a privileged session that allows password reset

Request

Step 1: Request Recovery Code

Step 2: Submit Recovery Code

curl -X POST "https://api-id.avnology.net/v1/flows/recovery/c3d4e5f6-a7b8-9012-cdef-123456789012:submit" \
  -H "Content-Type: application/json" \
  -d '{
    "method": "code",
    "body": {
      "code": "529174",
      "csrf_token": "dG9rZW4..."
    }
  }'

Response

After Step 1 -- Code Sent

{
  "continue_flow": {
    "id": "c3d4e5f6-a7b8-9012-cdef-123456789012",
    "type": "recovery",
    "state": "sent_email",
    "ui": {
      "nodes": [
        { "type": "input", "group": "default", "attributes": { "name": "csrf_token",

After Step 2 -- Recovery Session Created

On successful code verification, a privileged session is created. The response redirects to a settings flow where the user can set a new password:

{
  "session": {
    "id": "ses_2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e",
    "token": "avnl_ses_recovery_...",
    "expires_at": "2026-04-08T12:15:00Z",
    "identity": {
      "id": "usr_4f18acec-2712-4be7-a9af-b063b4f6deba",
      "email": "[email protected]"
    }
  }
}

Use this session token to create a Settings Flow and submit a new password.

Errors

StatusCodeDescription
400AVNOLOGY_AUTH_009Flow expired
400AVNOLOGY_AUTH_018Invalid recovery code
400AVNOLOGY_AUTH_019Recovery token expired
429AVNOLOGY_AUTH_021Rate limit exceeded

Code Examples

JavaScript (fetch)

async function requestRecoveryCode(flowId, email, csrfToken) {
  return fetch(`https://api-id.avnology.net/v1/flows/recovery/${flowId}:submit`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify

Python (httpx)

import httpx

BASE = "https://api-id.avnology.net/v1/flows/recovery"

def request_recovery(flow_id: str, email: str, csrf_token: str) -> dict:
    return httpx.post(
        f"

Go (net/http)

func submitRecovery(ctx context.Context, flowID, code, csrfToken string) (*AuthFlowResult, error) {
	body

Create Recovery Flow

Initiate an account recovery flow for forgotten passwords or lost MFA devices.

Create Settings Flow

Initiate a settings flow to update profile, password, MFA methods, or linked social accounts.

On this page

EndpointRequestStep 1: Request Recovery CodeStep 2: Submit Recovery CodeResponseAfter Step 1 -- Code SentAfter Step 2 -- Recovery Session CreatedErrorsCode ExamplesJavaScript (fetch)Python (httpx)Go (net/http)Related