Request a password-reset code
POST /api/v1/password/forgot
Always 200, whether or not the identifier exists (does not leak account existence).
Request
Code sent if the account exists
Missing/invalid/disabled touchpoint credential
App-level rate limit exceeded