If you're looking for the Hosted Login v1 version of this screen, see Password Reset Link is Invalid v1.
The resetPasswordCodeExchange screen is displayed when a user clicks an invalid reset password link; these links are emailed to users who click the Forgot Password? link on the sign-in screen and then supply a valid email address. Typically this screen is displayed because one of the following scenarios took place;
The reset password link has already been used: password reset links are for one-time use only. In fact, suppose you click a reset password link then, for whatever reason, don’t reset your password. A few minutes later, you click the reset password link again. When you do that, you’ll see the resetPasswordCodeExchange screen. That’s because the link has already been clicked once, even though you didn’t do anything after clicking the link.
The reset password link has expired: by default, these links are only valid for 15 minutes. If 15 minutes is too long (or too short), you can modify the lifetime for a reset password link by using the recover_code_lifetime setting.
The following graphic shows how the resetPasswordCodeExchange screen fits into the Reset Password flow:
Updated 22 days ago