Configure form validation rules

Validation rules (and custom error messages) are invoked each time a form is submitted. For example, you can display a custom message if a user enters an invalid password or email address. Alternatively, you can use validation rules to require a user to authenticate before he or she is allowed to change a specified section of their user profile such as their password or email address.

Each validation is made up of three sections, only one of which (value) is optional:


Type of validation rule being configured. Allowed rule types are:

  • requireAuthFields. When enabled, this validation requires a user to authenticate, using the same credentials they used to logon, before he or she can update a specified portion of their user profile. For example, this validation is enabled for use on the changePasswordForm: the user must enter their current password before they are allowed to change that password. The requireAuthFields validation can only be used if the form action is set to profileUpdate.

  • checkIdentifier. When enabled, this validation checks to see if the email address entered by the user is in the user profile store;. If it is, the validation fails and an error message (e.g., No account can be found that uses that email address) is displayed.

    If you don't enable checkIdentifier then a generic error message (Incorrect username or password) is displayed if either the email address or the password is invalid. The generic message doesn't distinguish between invalid email addresses or invalid passwords, which helps guard against username enumeration attacks. In those attacks, a hacker continually tries possible email addresses until he or she stumbles upon a valid username.

    The checkIdentifier rule is used, by default, on both the forgotPasswordForm and the resetPasswordForm forms.

    Note, too that checkIdentifier can only be used if the form action is set to passwordReset.

Other errors – such as rateLimitExceeded or invalidPassword – might be defined in a flow; if so, these errors can also be used for form validations. However, because these errors represent platform-level configurations that aren’t controlled in the flow, you can only include a validation message; you can't specify a validation value. This also means that you can't use the PUT method to enable or disable the validation. All you can do is change the accompanying message.


If you're using the checkIdentifier validation, set the value to true to enable the validation or set the value to false to disable the validation. Validations are "fired" only if they are enabled.

If you're using the requireAuthFields validation, set the value to a comma-separated array of all the fields that require authorization before they can be updated.


Text of the error message displayed if the validation fails. For example:

"message": "No account with that email address exists."

You can configure a custom message or you can use the ID of an existing translation\ when configuring the message property. For example, this syntax references the existing translation 993a4822d6f93ea9401d5204bb213b35:

"message": "993a4822d6f93ea9401d5204bb213b35"

A complete validation rule will look similar to this:

"validation": [
      "rule": "checkIdentifier",
      "value": true,
      "message": "That email address does not exist."