Securely creating users for server-to-server use cases
Users are created via the /v1/signup endpoint. A user will receive an email (= username) and a password by the creating service. For server-to-server use cases, we strongly recommend to use a random hash as email / username instead of a real email address. This will greatly improve security against email dictionary attacks.
When creating the user, your mandator secret is required.
When is a user password assigned
A user password is assigned (by you) when you first signup a user. Note that a server-to-server signup process must provide the clientSecret in order to skip the otherwise mandatory email verification.
...
A password can be reset by the users mandator, using mandator credentials. Alternatively, a user with role ROLE_USER_MANAGEMENT may reset a users password. In any case, resetting passwords is limited to users in the scope of the authenticated mandator.
For security reasons, editing users (including resetting the password) with mandator credentials is only possible by specifying the username / email. Note that in the case of server-to-server-users the email / username will typically be a random hash assigned by the creating service.
Resetting via ROLE_USER_MANAGEMENT
To so so, a user account in your organization must have ROLE_USER_MANAGEMENT. This account may then update the user with a new password user the update user endpoint. Again, an update can only be done via specifying the users email / username.
Resetting via mandator credentials
...