# Set new password after recovery

Step 3 of password recovery: sets the new password for an unauthenticated user. Requires that the recovery code was previously validated via /recover/check-code. Sends a confirmation email and invalidates all existing sessions. Must NOT be authenticated - returns error if called with an active session.

Endpoint: POST /api/v1/accounts/password/recover/change
Version: 1.0
Security: 

## Request fields (application/json):

  - `login` (string, required)
    Email or username
    Example: "user@gmail.com or john_smith"

  - `newPassword` (string, required)
    New password, enforced by password policy
    Example: "PassW0rd!"

## Response 400 fields (application/json):

  - `errorCode` (string, required)
    Error code

  - `message` (string, required)
    Error message

  - `docUrl` (string)
    Link to documentation

## Response 404 fields (application/json):

  - `errorCode` (string, required)
    Error code

  - `message` (string, required)
    Error message

  - `docUrl` (string)
    Link to documentation


