Bubble has a built-in password reset flow that sends a reset email and redirects users to the default reset_pw page. This tutorial shows you how to customize that flow with your own branded email, a custom reset page, validation logic, and confirmation feedback so the experience matches your app's design.
Overview: Building a Password Reset Flow in Bubble
Every app needs a way for users to recover their accounts. Bubble provides a built-in Send password reset email action that handles token generation and email delivery. This tutorial shows you how to use that action and customize every part of the experience — from the request form to the email template to the reset confirmation page. You will end up with a polished, branded password reset flow.
Prerequisites
- A Bubble app with user registration and login already working
- Access to the Settings tab for email configuration
- Basic familiarity with Bubble workflows and page navigation
Step-by-step guide
Create the password reset request page
Create the password reset request page
Create a new page called forgot-password. Add a Text element with the heading Forgot your password? and a description explaining the process. Add an Input element for the user's email address. Add a Button labeled Send Reset Link. In the button's workflow, add the action Account → Send password reset email. Set the email field to the Input's value. This triggers Bubble's built-in reset flow, which sends an email with a tokenized link.
Pro tip: Add a success message after the action confirming the email was sent, even if the email does not exist in your database — this prevents attackers from discovering which emails are registered.
Expected result: Users enter their email and receive a password reset link in their inbox.
Customize the reset email template
Customize the reset email template
Go to Settings in the left sidebar, then the Languages tab. Scroll down to find the password reset email fields. You can customize the email subject line, the body text, and the sender name. The reset link is automatically included by Bubble — it contains a unique token and points to your app's reset_pw page. Write friendly copy that matches your brand voice and clearly instructs the user to click the link.
Expected result: The password reset email uses your custom text and branding instead of Bubble's default template.
Design the custom reset_pw page
Design the custom reset_pw page
Every Bubble app has a default page called reset_pw. Navigate to it in the Design tab using the Pages dropdown. This page receives a token parameter automatically from the reset link. Add two Password Input elements: one for the new password and one for confirming the new password. Add a Button labeled Reset Password. Style the page to match your app's design — this is the page users see when they click the email link.
Pro tip: Do not delete or rename the reset_pw page — Bubble's password reset system depends on this exact page name.
Expected result: The reset_pw page has two password inputs and a submit button, styled to match your app.
Add password validation and the reset action
Add password validation and the reset action
In the Reset Password button's workflow, add conditions to validate the input: check that the new password meets your minimum length requirement using the character count operator, and verify that both password fields match. Add the action Account → Reset password with the new password set to the first Password Input's value. After the reset, add a navigation action to Go to page: login or show a success message confirming the password was changed.
Expected result: Users can only submit the form if both passwords match and meet the minimum length, and then they are redirected to the login page.
Add error handling for expired or invalid tokens
Add error handling for expired or invalid tokens
The reset token has an expiration period. If a user clicks an old link, the reset will fail. Add an event in the Workflow tab: An unhandled error occurs. In its action, display an Alert or navigate to a page with a message like This reset link has expired. Please request a new one. Add a link back to the forgot-password page so users can restart the process easily.
Expected result: Users who click an expired reset link see a friendly error message with a link to request a new one.
Complete working example
1PASSWORD RESET WORKFLOW SUMMARY2================================34PAGE: forgot-password5 Elements:6 - Input: EmailInput (content type: email)7 - Button: SendResetLink8 - Text: SuccessMessage (not visible on page load)910 Workflow: When SendResetLink is clicked11 Action 1: Account → Send password reset email12 → Email: EmailInput's value13 Action 2: Show element: SuccessMessage14 Action 3: Hide element: EmailInput15 Action 4: Hide element: SendResetLink1617PAGE: reset_pw (built-in, do not rename)18 Elements:19 - PasswordInput: NewPassword (placeholder: "New password")20 - PasswordInput: ConfirmPassword (placeholder: "Confirm password")21 - Button: ResetButton22 - Text: ErrorText (not visible on page load)2324 Workflow: When ResetButton is clicked25 Condition: Only when26 NewPassword's value's character count >= 827 AND NewPassword's value = ConfirmPassword's value28 Action 1: Account → Reset password29 → New password: NewPassword's value30 Action 2: Go to page: login3132 Workflow: When ResetButton is clicked33 Condition: Only when NewPassword's value is not ConfirmPassword's value34 Action: Show element: ErrorText ("Passwords do not match")3536 Workflow: An unhandled error occurs37 Action 1: Show Alert: "This reset link has expired."38 Action 2: Go to page: forgot-password3940SETTINGS:41 Languages tab → customize password reset email:42 - Subject: "Reset your [AppName] password"43 - Body: custom branded copy44 - Reset link auto-inserted by BubbleCommon mistakes when creating a password reset system in Bubble.io: Step-by-Step Guide
Why it's a problem: Deleting or renaming the reset_pw page
How to avoid: Keep the page named reset_pw and customize its design instead
Why it's a problem: Revealing whether an email exists in the database
How to avoid: Always show the same success message regardless of whether the email exists
Why it's a problem: Not validating password match before resetting
How to avoid: Add an Only When condition that checks both password fields are identical before running the reset action
Best practices
- Keep the reset_pw page name unchanged — Bubble's system depends on it
- Customize the email template in Settings → Languages to match your brand
- Always show the same success message whether or not the email exists in your database
- Require a minimum password length of 8 characters on the reset page
- Add visual password strength feedback using conditional formatting on the input element
- Handle expired token errors gracefully with a link back to the request page
- Test the full flow including email delivery before deploying to live
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I need to build a custom password reset flow in my Bubble.io app. I want a forgot-password page, a customized reset email, and a branded reset_pw page with password validation. Can you walk me through the exact elements, workflows, and settings I need?
Build a password reset system for my app. I need a forgot-password page where users enter their email, a customized reset email, and a reset_pw page with password validation and confirmation. Set up all the workflows.
Frequently asked questions
How long is the password reset token valid?
Bubble's password reset tokens are valid for 24 hours by default. After that, the link expires and the user must request a new one.
Can I change the sender email address for reset emails?
On paid plans, you can configure a custom email domain in Settings. On the Free plan, emails are sent from a Bubble default address. Using a custom domain improves deliverability.
Why are my reset emails going to spam?
This is common with Bubble's default email sending. Set up a custom email domain with SPF and DKIM records, or use a third-party email service like SendGrid via the API Connector for better deliverability.
Can I send the reset email via a third-party service instead?
Yes. You can create your own token system using a backend workflow, store the token and expiry in the database, and send the email via SendGrid, Mailgun, or Postmark using the API Connector.
What if the user never receives the email?
Add a Resend link on the forgot-password page that lets users request another email. Check your email configuration in Settings and verify the user's email is correct in the database.
Can RapidDev help with custom authentication flows?
Yes. RapidDev has built custom authentication systems in Bubble including passwordless login, magic links, SSO, and enterprise-grade reset flows with audit logging.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation