Secure Password Resets, Delivered Instantly

Time-limited reset tokens with device and location context. Reliable instant delivery prevents lockouts and reduces support volume.

The problem

Why this matters

Delayed password reset emails lock users out of their accounts and generate avoidable support tickets. Every minute a user waits for a reset email is a minute they might abandon your product. Beyond speed, reset emails must include security context — device, location, IP — to help users identify unauthorized reset attempts. Getting both right requires reliable, instant infrastructure.

The solution

How MultiMail solves this

MultiMail's AI agent handles password reset emails with the urgency and reliability they require. When a reset request arrives, the agent generates a time-limited token, composes an email with security context (IP, browser, location), and sends it immediately under autonomous oversight. The API's reliability ensures reset emails arrive within seconds, preventing lockouts.

1

Receive Reset Request

Your application sends a password reset event to the AI agent when a user clicks 'Forgot Password.' The event includes the user's email, IP address, browser, and location data.

2

Generate Secure Token

Your application generates a cryptographic reset token with a short expiration window (typically 15-30 minutes) and creates the reset URL.

3

Compose Security-Aware Email

The agent includes the reset link alongside security context: the IP address, browser, and approximate location of the requester. This helps users identify unauthorized reset attempts.

4

Send Immediately

Under autonomous oversight, the reset email is sent instantly via send_email. Speed is critical — every second of delay increases the risk of user abandonment or duplicate requests.

Code examples

Implementation

Send Password Reset Email
python
import requests

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

def send_password_reset(user: dict, request_context: dict):
    reset_url = generate_reset_url(user["id"])

    body = (
        f"Hi {user[&"cm">#039;name']},\n\n"
        f"We received a password reset request for your account.\n\n"
        f"Reset your password: {reset_url}\n\n"
        f"This link expires in 15 minutes.\n\n"
        f"Request details:\n"
        f"  IP: {request_context[&"cm">#039;ip']}\n"
        f"  Browser: {request_context[&"cm">#039;browser']}\n"
        f"  Location: {request_context[&"cm">#039;location']}\n\n"
        f"If you didn&"cm">#039;t request this reset, you can safely "
        f"ignore this email. Your password will not be changed."
    )

    response = requests.post(
        f"{API}/send",
        headers=HEADERS,
        json={
            "from": "[email protected]",
            "to": user["email"],
            "subject": "Reset your password (link expires in 15 minutes)",
            "text_body": body,
            "html_body": build_reset_html(user, reset_url, request_context)
        }
    )
    print(f"Reset email sent in {response.elapsed.total_seconds():.2f}s")

Handle a password reset request and send a secure reset email with device context.

Detect Suspicious Reset Attempts
python
import requests

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

def check_reset_abuse(user: dict, request_context: dict) -> bool:
    """Check for suspicious reset patterns."""
    recent_resets = get_recent_resets(user["id"], hours=1)

    if len(recent_resets) > 3:
        "cm"># Multiple reset attempts — send security alert
        requests.post(
            f"{API}/send",
            headers=HEADERS,
            json={
                "from": "[email protected]",
                "to": user["email"],
                "subject": "Security alert: Multiple password reset attempts",
                "text_body": (
                    f"Hi {user[&"cm">#039;name']},\n\n"
                    f"We detected {len(recent_resets)} password reset "
                    f"attempts on your account in the last hour.\n\n"
                    f"If this was you, you can use the most recent "
                    f"reset link. If not, we recommend enabling 2FA."
                )
            }
        )
        return True
    return False

Flag unusual reset patterns and send security alerts.

MCP Tool Integration
typescript
"cm">// Using MultiMail MCP tools for password resets

async function handlePasswordReset(
  user: User,
  context: RequestContext
) {
  const resetUrl = generateResetUrl(user.id);

  "cm">// Send reset email immediately
  await mcp.send_email({
    to: user.email,
    subject: "Reset your password (link expires in 15 minutes)",
    text_body: [
      `Hi ${user.name},`,
      ``,
      `Reset your password: ${resetUrl}`,
      `This link expires in 15 minutes.`,
      ``,
      `Request details:`,
      `  IP: ${context.ip}`,
      `  Browser: ${context.browser}`,
      `  Location: ${context.location}`,
      ``,
      `If you didn't request this, ignore this email.`
    ].join("\n")
  });

  "cm">// Log the reset event
  await mcp.add_contact({
    email: user.email,
    metadata: {
      last_reset_request: new Date().toISOString(),
      reset_ip: context.ip
    }
  });
}

Send password reset emails using MultiMail MCP tools.

Benefits

What you get

Sub-Second Delivery

Autonomous mode sends reset emails the instant the request is received. No queue, no delay, no frustrated users staring at an empty inbox.

Reduce Support Tickets

Fast, reliable reset emails prevent the cascade of support tickets from users who can't access their accounts. Fewer lockouts means fewer interruptions for your support team.

Security Context Included

Every reset email includes IP address, browser, and location so users can identify unauthorized reset attempts at a glance.

Abuse Detection

Your AI agent can detect unusual reset patterns (multiple attempts from different IPs) and send security alerts proactively.

Oversight

Recommended oversight mode

Recommended
autonomous
Password reset emails are security-critical and must be sent instantly. They contain no AI-generated content that could be incorrect — just a secure link and factual request context. Autonomous mode is the only appropriate choice for time-sensitive security emails.
FAQ

Common questions

How fast are reset emails delivered?
MultiMail processes API requests in real time. The reset email is sent within milliseconds of the API call, and delivery to the user's inbox typically takes 5-15 seconds depending on their email provider. This is fast enough that users see the email before they finish switching to their inbox.
What if the reset email goes to spam?
MultiMail manages sender reputation, DKIM, SPF, and DMARC configuration to maximize inbox delivery rates. Sending from a dedicated security@ address with proper authentication typically achieves 99%+ inbox placement. If deliverability issues arise, MultiMail's monitoring detects them early.
Can I customize the token expiration time?
Token expiration is managed by your application, not MultiMail. MultiMail delivers whatever content you include in the email. Set your token expiration based on your security requirements — 15 minutes is standard, but some applications use 30 minutes or 1 hour.
Should I include the user's email address in the reset email?
Yes — include a partial email (e.g., 'j***@example.com') so users can confirm they're resetting the right account, especially if they have multiple accounts. Never include the full reset token in the email body; always use a link with the token as a URL parameter.
Related

Explore more use cases

System Alerts & Monitoring

notifications

View guide →

Onboarding Email Sequences

notifications

View guide →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 38-tool MCP server. Formally verified in Lean 4.

Read the Docs See Pricing