Password Reset Email Link Contains Token

Hi All,
In the change password flow an e-mail is sent in order to redirect the user to the change password page. the link in the email have a “key” querystring parameter that contains a valid access token that can be used also for other means… there is a way to “hide” that token?

thanks for you time!

P.S. we are using keycloak 23

This token is not an access token, it’s an action token which is signed with a confidential key, which is only usable by Keycloak itself. That’s what Keycloak do by default.
If it’s different, than there is some customization done.

thanks fo the quick response dasniko.
i’ve missed the info that the token was in fact not an access toke but an action token.

1 Like