Question 1

How do I set up .well-known/change-password on my website?

Accepted Answer

Configure your web server to redirect requests to /.well-known/change-password to your actual password change page. For example, on Apache, use a Redirect rule in .htaccess, and on Nginx, add a location block in the server config to handle the redirect.

Question 2

Which password managers support the change password URL?

Accepted Answer

As listed in the FAQ, tools like 1Password, iCloud Keychain, Safari, and Chrome have implemented this feature, allowing users to navigate directly to password change forms from within these managers for supported sites.

Question 3

What's the difference between this spec and using OAuth for account management?

Accepted Answer

This spec is a simple redirect for password changes only, while OAuth is a full authorization framework for accessing user data across services. Use .well-known/change-password for basic password updates; OAuth is better for integrated, multi-service account control.

Question 4

Can I use this for other account actions like updating email or profile?

Accepted Answer

No, the specification is deliberately minimal and only covers password changes. The FAQ explains that they avoided adding JSON resources for other functions to keep it simple, but future specs could address other account management needs.

Question 5

How does the change password URL handle authentication or user sessions?

Accepted Answer

The spec doesn't handle authentication; it only provides a redirect to the password change page. Websites must ensure the target page manages user sessions and authentication separately, as this is outside the scope of the URL itself.

Question 6

Is there a way to test if my .well-known/change-password is working correctly?

Accepted Answer

Yes, use tools like curl or browser developer tools to send a request to the URL. Check if it returns a 2xx or 3xx status code and redirects properly. Password managers detect this automatically, but manual verification helps ensure compatibility.

A Well-Known URL for Changing Passwords

What is A Well-Known URL for Changing Passwords?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions