Change Password
A logged-in customer changes their own password by sending their current password together with a new password and its confirmation. This is part of the customer profile-update endpoint.
Forgot the password instead?
This endpoint is for a customer who knows their current password. If the password was forgotten, use Forgot Password (POST /api/shop/forgot-passwords) — that emails a reset link the customer completes on the web. The storefront API has no token-based reset endpoint.
Endpoint
PUT /api/shop/customer-profile-updates/{id}{id} is the authenticated customer's ID.
Request Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Yes | application/json |
X-STOREFRONT-KEY | Yes | Your storefront API key |
Authorization | Yes | Bearer <token> — the customer's token from Customer Login |
Request Body
{
"currentPassword": "OldPass123!",
"password": "NewPass456!",
"confirmPassword": "NewPass456!"
}| Field | Type | Required | Description |
|---|---|---|---|
currentPassword | string | Yes | The customer's existing password (verified before the change) |
password | string | Yes | The new password |
confirmPassword | string | Yes | Must match password |
This is the same endpoint used to update profile fields (name, email, …) — to change the password, send the three password fields above. Sending profile fields without the password fields updates the profile without touching the password.
Response (200 OK)
The endpoint returns the updated customer profile.
| Field | Type | Description |
|---|---|---|
id / _id | string | Customer ID |
firstName / lastName / email | string | Profile fields |
success | boolean | Whether the update succeeded |
message | string | Human-readable result |
After the change, the old password stops working and the customer logs in with the new one (existing tokens remain valid until they expire).