# Customer password resets

Registered customer passwords can be reset in three steps:

1. [Create a new customer password reset](https://docs.commercelayer.io/core-api-reference/customer_password_resets/create) with the customer's email.
2. Get the reset password token from the response.
3. [Update the customer password reset](https://docs.commercelayer.io/core-api-reference/customer_password_resets/update) resource passing the token and the new password.

{% hint style="info" %}
Reset password tokens expires after **6 hours**.
{% endhint %}

{% hint style="warning" %}
It's your responsibility to verify the customer's identity before the third step. A typical flow is to send an email to the customer with a verification link that includes the reset password token.
{% endhint %}

{% hint style="info" %}
If the customer is a guest (i.e. has no password associated yet) there's no need to use the customer password reset resource. To set a password for a guest customer just [update the customer](https://docs.commercelayer.io/core-api-reference/customers/update) resource passing the desired password.
{% endhint %}

For security reasons, customer passwords must be managed using [integration](https://app.gitbook.com/s/-LgByaSP8eKjad-MIuHE/api-credentials#integration) API credentials only. [Sales channels](https://app.gitbook.com/s/-LgByaSP8eKjad-MIuHE/roles-and-permissions#sales-channel) are only allowed to perform update actions.