Hi All,
In the change password flow an e-mail is sent in order to redirect the user to the change password page. the link in the email have a “key” querystring parameter that contains a valid access token that can be used also for other means… there is a way to “hide” that token?
This token is not an access token, it’s an action token which is signed with a confidential key, which is only usable by Keycloak itself. That’s what Keycloak do by default.
If it’s different, than there is some customization done.