Change Password


An endpoint where the authenticated user can change their password. If you send a GET request to this endpoint, a simple form is shown in which the user can change their password manually.



You can use a custom template, which matches the look and feel of your application. See the template_path parameter. Or specify custom CSS styles using the styles parameter.

Alternatively, you can change the password programatically by sending a POST request to this endpoint (passing in old_password, new_password and confirm_new_password parameters as JSON, or as form data).

When the password change is successful, we invalidate the session cookie, and redirect the user to the login endpoint.


Only authenticated users can change their passwords!


In this example we show how the endpoint integrates with a Starlette app using session auth.

For the complete source code, see the demo project on GitHub.

from starlette.applications import Starlette
from starlette.endpoints import HTTPEndpoint
from starlette.middleware import Middleware
from starlette.middleware.authentication import AuthenticationMiddleware
from starlette.requests import Request
from starlette.responses import HTMLResponse, RedirectResponse
from starlette.routing import Mount, Route

from piccolo_api.change_password.endpoints import change_password
from piccolo_api.csrf.middleware import CSRFMiddleware
from piccolo_api.register.endpoints import register
from piccolo_api.session_auth.endpoints import session_login
from piccolo_api.session_auth.middleware import SessionsAuthBackend

class HomeEndpoint(HTTPEndpoint):
    async def get(self, request):
        return HTMLResponse(
                "<style>body{font-family: sans-serif;}</style>"
                "<h1>Change Password Demo</h1>"
                '<p>First <a href="/register/">register</a></p>'  # noqa: E501
                '<p>Then <a href="/login/">login</a></p>'  # noqa: E501
                '<p>Then try <a href="/private/change-password/">changing your password</a></p>'  # noqa: E501

def on_auth_error(request: Request, exc: Exception):
    return RedirectResponse("/login/")

private_app = Starlette(

app = Starlette(
        Route("/", HomeEndpoint),
        Route("/login/", session_login()),
            register(redirect_to="/login/", user_defaults={"active": True}),
        Mount("/private/", private_app),
        Middleware(CSRFMiddleware, allow_form_param=True),

If you want to use FastAPI instead, just make the following minor changes:

  • Change the imports from starlette -> fastapi

  • Change Starlette -> FastAPI


piccolo_api.change_password.endpoints.change_password(login_url: str = '/login/', session_table: Type[SessionsBase] | None = SessionsBase, session_cookie_name: str | None = 'id', template_path: str | None = None, styles: Styles | None = None, read_only: bool = False) Type[ChangePasswordEndpoint][source]

An endpoint for changing passwords.

  • login_url – Where to redirect the user to after successfully changing their password.

  • session_table – If provided, when the password is changed, the sessions for the user will be invalidated in the database.

  • session_cookie_name – If provided, when the password is changed, the session cookie with this name will be deleted.

  • template_path – If you want to override the default change password HTML template, you can do so by specifying the absolute path to a custom template. For example '/some_directory/change_password.html'. Refer to the default template at piccolo_api/templates/change_password.html as a basis for your custom template.

  • styles – Modify the appearance of the HTML template using CSS.


If True, the endpoint only responds to GET requests. It’s not commonly needed, except when running demos.