both html form based flow and API based flow

desired reset flow:

On the login page, there should be a “Forgot your password?” link

When a user gets to the password reset page (/reset/form), we should ask for their email address.

After the user has entered their email address, send them an email with a link to the password reset page on your site. This link should contain a unique password reset token that expires after a configurable amount of time and on first use.

After submitting the password reset form, display a success page (/reset/form/success) with instructions to check their email.

After the user clicks the link in their email, they should be brought to a page on your site that prompts them to enter a new password. Validate the token before the page is displayed and show an error message if it's incorrect. (/reset/token/q398nctypq9384nypqc3498cn)

After submitting their new password, change their password in the database and mark the token as used, so it can't be re-used. Email the user letting them know that their password has been reset.

Redirect to a new page that informs them that their password has been changed and they have been logged in.

Send the user an email once their password has been changed letting them know what happened.