To reset a user's password without a session token using the Ory Kratos API, you can use the recovery flow methods. These operations do not require authentication: 1.

createNativeRecoveryFlow

2.

createBrowserRecoveryFlow

3.

getRecoveryFlow

4.

updateRecoveryFlow

You can find more information about these methods in the [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api). Additionally, in some scenarios, it might be useful to revoke all active sessions of the user when they recover their account. This forces anyone with access to the account to re-authenticate using the new password set up in the recovery process. To trigger this behavior, use the

after_recovery

hook. Here's how you can do it: 1. Get the Ory Identities config with Ory CLI:

bash ## List all available projects   ory list projects      ## Get config   ory get identity-config {project-id} --format yaml > identity-config.yaml

2. Add the hook configuration to the downloaded file.

bash selfservice:     flows:     recovery:     enabled: true     ui_url: <http://your.ui/recovery>   + after:   + hooks:   + - hook: revoke_active_sessions

3. Update the Ory Identities configuration using the file you worked with:

bash ory update identity-config {project-id} --file identity-config.yaml

You can learn how to add and configure hooks for self-service user flows [here](https://www.ory.sh/docs/kratos/hooks/configure-hooks). Please note that you can also initiate account recovery for users using the admin API endpoints, even for users that don't have a recovery address configured. However, if the recovery flow initiated through the admin API expires, users without a recovery address can't start the flow again by themselves. You can read more about the account recovery flow [here](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset).