Skip to content

Password Verification


When a user needs to change their password in your application, you may need to verify their existing password for security reasons. Since Backendless stores passwords in the encrypted format and never returns the password value, you need to use the API call documented below to implement password verification. The API checks the provided password value against the one stored in the database. User must be logged - Backendless verifies provided value for the currently logged in user.

This functionality can be used only in CloudCode (Java, JS or Codeless), the reason for this restriction is that a malicious use of this API can easily compromise application's security. As a result, this API must be used from a controlled environment. It is important the REST API is used with the CloudCode API key.



Endpoint URL<application-id>/<CLOUDCODE-api-key>/users/verifypassword


Argument                Description
<application-id> The ID of your application generated upon its creation. You can obtain the value in the Manage > App Settings section of the Backendless Console.
<CLOUDCODE-api-key> CloudCode API key of your application. You can obtain the value in the Manage > App Settings section of the Backendless Console.

Request Headers

user-token: value-of-the-user-token-header-from-login  


Argument                Description
user-token A value returned by Backendless in the response for the preceding Login operation. The value identifies the user to be logged out. This header is mandatory.
Content-Type Must be set to application/json. This header is mandatory.

Request Body

  "password" : "password value to verify"  


Argument                Description
"password" Is a string value representing a secret used to authenticate the user.

Response Body

true if the password is correct, otherwise false.


The example below verifies the password "wonderland" against the password stored in the Backendless database.

curl --location --request POST '' \  
--header 'user-token: 09420BF2-9A41-4FD5-B8FB-8AD56AB35782' \  
--header 'Content-Type: application/json' \  
--data-raw '{  
    "password": "wonderland"  

Codeless Reference


Returns true if the password is correct, otherwise false.

Consider the following record in the Users data table:

The example below logs in as "" to obtain the user token which is required for this operation. Then it verifies the user password and returns true since passwords match.