Well, the first problem I'm finding here, is that I have to authenticate (API login call) in order to make the "password reset" call. This kind of defeats the point, because if I already have a working pw then I don't need to reset. Maybe there's a different use case for this though. Is there a way to make the "password" reset call without having to authenticate (possibly with the username only)?

In any case, when I make the "password reset" call I receive the email saying:

**************
Hello,

A request has been made to reset your Website account password. To reset your password, you will need to submit this verification code in order to verify that the request was legitimate.

The verification code is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Select the URL below and proceed with resetting your password.

mywebsite.com/index.php?option=com_comprofiler&token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&view=lostpassword

Thank you.
**************

When I click the link I'm taken to the password recovery page (see attached) which asks me to go through the process again of entering my email and username in order to reset again. I'm guessing this defaults to the CB email and module since it's being overridden in the core.

I think what I'll be doing is synchronizing all passwords initially with my external system and then when a user updates their password (after authenticating/logging in via API), I will update in both places. I just need to know which API call a user would use to update their own password field on the Joomla profile, and if that will go through the process of Hashing it like it normally does.

Thanks.

Attached.

I just need to know which API call a user would use to update their own password field on the Joomla profile, and if that will go through the process of Hashing it like it normally does.