Skip to content

Password Reset

Odeion does not send email. Password resets work through one-time reset links that an admin (or the server operator) generates and hands to the user out of band.

An admin generates a reset link for any user from Admin > Users. The token is valid for 24 hours by default, can be redeemed once, and stops working the moment it is used.

Give the link to the user through whatever channel you trust. Anyone holding the link can set the account’s password, so treat it like a temporary credential.

Opening the link presents a form to set a new password (minimum 8 characters). Redeeming a reset does not sign the user in and does not revoke their existing sessions.

When the only admin is locked out and nobody can issue a link through the UI, use the CLI on the server host:

Terminal window
odeion reset-password <username>
odeion reset-password alice --expires-in=1h

The command prints the reset token, its expiry, and (when the base URL is configured) a complete URL to open in a browser. Two things make the CLI different from the admin UI flow:

  • It needs no authentication beyond shell access to the server.
  • If the account is locked, the lock is cleared at the same time.

See the CLI Reference for flags.

A reset link issued from the admin UI does not unlock a locked account; the user could set a new password and still be unable to sign in. Unlock the account in Admin > Users first, or use the CLI command, which does both. See Rate Limiting and Account Locking.