How do I reset my password?

If you've forgotten your password — or just want to change it — BluAuth can email you a secure reset link. The whole flow takes about a minute, and your account stays protected the entire time.

Open the app you're trying to sign into. You'll land on a sign-in page that looks like your company's branding — that's BluAuth. The URL might be auth.blutools.io or a subdomain your team uses. Either way, the reset flow is the same.

2. Click "Forgot your password?"

Under the password field, click the Forgot your password? link.

3. Enter your email

Type the email address you use to sign in. Double-check the spelling — a typo means you'll never get an email, but you won't get an error either. See Why BluAuth doesn't tell you if your email is on file below.

Click Send reset link.

4. Check your email

A message titled "Reset your password" should arrive within a minute or two. If you don't see it:

Check your spam or junk folder.
Check Gmail's Promotions and Updates tabs.
Search for "bluauth" or the name of the app you were signing into.
Make sure you typed your email correctly on the previous step.
If it's been more than 10 minutes, see I didn't get my password reset email.

5. Click the reset button

The email has a Reset Password button. Click it. This opens a page where you can type a new password.

The link is valid for one hour. If you wait too long, go back to step 1 and request a new one — older links are retired the moment you request a new one, so only the most recent email will work.

6. Choose a new password

Your new password has to pass three checks. The page will tell you in real time which ones have passed.

Length

Every password must be at least 8 characters. Some tenants require longer — 12 or 16. Longer is stronger, and a passphrase ("correct horse battery staple") is easier to remember than a random string.

Breach check

BluAuth compares the password you chose against a list of passwords known to have been exposed in public data breaches. The check is private — your password is never sent anywhere in readable form. If a match is found, you'll see a "this password has appeared in a data breach" message and you'll need to pick a different one. This isn't optional; even strong-looking passwords are unsafe once they're on a public list.

Password history

BluAuth remembers the last several passwords you've used (usually 5, sometimes more depending on your tenant). You can't reuse any of them. If you get a "you've used this password recently" error, pick something different.

You'll type the new password twice to confirm.

Once you click Reset password, you're automatically signed in and taken back to the app. No further steps.

What happens to your other sessions

Resetting your password is also a security action — it doesn't just update your credential, it kicks everyone else out.

Every other session signed in as you ends immediately. If you were signed in on another computer, your phone, or a tablet, those devices will be signed out the next time they try to do anything.
API tokens tied to your session are revoked. If a downstream Blu app was holding a session for you, it'll prompt you to sign in again.
The device you reset on stays signed in. You won't have to sign in again on the browser where you just finished resetting.

This is deliberate. If you're resetting because you think someone else got into your account, the reset locks them out — they can't stay signed in on some other device while you're picking a new password.

Resetting on a shared or public device

If you're using a computer that isn't yours — a hotel kiosk, a library PC, a friend's laptop — take two extra precautions.

Use a private / incognito window for the entire flow. That prevents the browser from saving your email, the reset link, or your session after you close the tab.
When you're done, sign out explicitly. Click your avatar, then Sign out. Then close every window in that browser, including the private one.

Never save the new password in a browser you don't own. If you need your password on the go, use a password manager like 1Password that syncs across your own devices.

Why BluAuth doesn't tell you if your email is on file

You might notice that after you click Send reset link, BluAuth shows the same success message whether your email is real or not. That's on purpose.

If BluAuth said "no account found" for unknown addresses, anyone could type email addresses at random and learn which ones have BluAuth accounts — a technique called user enumeration. Attackers use that list to target phishing or password-spraying attempts. By showing the same message either way, BluAuth gives away nothing.

The practical consequence: if you're not getting the email, the most likely cause is a typo. Try again and be careful with the spelling.

Common questions

Does resetting my password affect my other logins?

It resets the password used to sign in to BluAuth. If you normally sign in through Google, Microsoft, or another identity provider (your "Enterprise sign-in" button), your password is managed by that provider — the BluAuth reset won't touch it.

I never had a password — I always used the enterprise button

If you've always signed in through an enterprise provider (like Google or Microsoft), you don't have a BluAuth password to reset. Keep using the enterprise button. If you want to add a password as a backup, ask your administrator — some tenants allow it, some don't.

The reset link is expired

Reset links expire after one hour. Just request a new one — repeat from step 1.

See I can't sign in.

Can I reuse my old password?

No. BluAuth blocks your most recent passwords (usually the last 5). Pick something new. If you just want to rotate to a known-good password, use a password manager to generate one.

Do I need to set up two-factor authentication again after a reset?

No. Resetting your password doesn't affect your 2FA setup. You'll still use the same authenticator app and recovery codes. See two-factor authentication.

Can I change my password without resetting it?

Yes. If you still know your current password and just want to change it, you don't need the email flow at all. Sign in, click your avatar, go to Profile → Security, and choose Change password. You'll type your current password once and your new password twice. The same length, breach, and history checks apply.

Changing your password this way also signs out your other sessions, same as a reset. That's intentional — if you're changing your password because it might have leaked, the point is to kick everyone else out.

I'm getting the reset email but the link goes to a "link expired" page immediately

Two common causes:

You requested a second reset. Only the most recent link works. If you clicked the older email, you'll see the expired page. Go back to the newest email in your inbox.
Your email client is pre-fetching the link. Some corporate mail systems click every link in an email to scan for malware. That "click" counts as using the link, so by the time you click it yourself, it's already used. Ask your admin or IT about this — they can whitelist BluAuth's reset links so they aren't pre-fetched.

Can I use a password manager?

Yes — please do. Password managers like 1Password, Bitwarden, Dashlane, and the ones built into your browser all work with BluAuth. They make it easy to use a unique, strong password without having to remember it. Save your new password in your manager right after the reset so you don't have to think about it again.

Does the reset work on mobile?

Yes. The whole flow works the same on a phone or tablet. One thing to watch: if you open the reset email in a mobile mail app, it may open the link in an in-app browser that doesn't handle the redirect well. If that happens, copy the link and paste it into Safari or Chrome. See mobile in-app browsers for more.

What if I clicked the link but got "this link has already been used"?

Once a reset link is used successfully, it can't be used again — that's intentional. If you see this message without having completed a reset, usually one of:

Your mail system pre-fetched the link. Some corporate mail scanners visit every link in incoming mail. That visit counts as "use."
You double-clicked the email twice. If the first click already completed, the second click hits an already-used link.
Someone else clicked it. If you forwarded the email or someone else has access to your inbox, they may have used the link first. Change your password immediately if that's a possibility, and talk to your admin.

The fix is the same in any case: request a new reset link from the sign-in page.

I just reset my password and I'm still signed in on my phone

The device you resetted on (your computer, in this case) stays signed in. The device you're asking about (your phone) should have been signed out automatically. If it still seems to be working, that's usually because:

The phone is using a cached view and hasn't checked in with BluAuth yet. It'll prompt for sign-in on the next real action.
Your phone's session is tied to a separate BluAuth account you didn't realize you had. See why do I have multiple accounts?.

I didn't get my password reset email — when the email never arrives.
I can't sign in — after-reset sign-in problems.
My session keeps expiring — what the reset does to your other devices.
Two-factor authentication — 2FA carries over through a reset.