(Create User / Change User) password with API


I want to create a User or change the password from a User with the API. We are using a custom front-end where we use data from SuiteCRM. So SuiteCRM is a backend for some users. We can get everything with te API, but now I want to give users the possibility to change their password in the front-end. They can change all of their account data, but their passwords need an encryption.

The API endpoint I use to change User-data is a PATCH-method with the url: {basicUrl}/Api/V8/module and with a body:

                data: {
                    type: "User",
                    id: {id},
                    attributes: {
                        user_hash: xxxxx

But the user_hash is expecting the correct encryption. So the question is: what is the correct encryption to send to API from SuiteCRM?

have you tried to submit the password as md5("yourPlainTextPassword") ?


I am using an JavaScript platform (Vue.js). So it’s possible to send a plain text as “user_hash”, but the API endpoint doesn’t convert it to any hashed password. I already noticed that the application first encrypt the password with md5 and next the md5-password will be encrypted by BCrypt.
I’m thinking it’s better to create a new attribute, like “password”, and send it as attribute in my body to the API endpoint. Then I have to change the endpoint and use the function to encrypt the password. I think this will be better then encrypt the password in my JavaScript application.

Updated the API endpoint on two different php files: ModuleService.php & User.php.

Added extra check in the “updateRecord” function in the ModuleService.php:

        if (isset($attributes["user_name"]) && !empty($attributes["user_name"]) && isset($attributes["api_new_password"]) && !empty($attributes["api_new_password"]) && isset($attributes["api_current_password"]) && !empty($attributes["api_current_password"])) {
            $focus = BeanFactory::newBean('Users');

            if (empty($focus->findUserPassword($attributes["user_name"], md5($attributes["api_current_password"])))) {
                throw new AccessDeniedException("incorrect-password");

And added a function in the “save” function in the User.php:

        if (isset($this->api_new_password) && !empty($this->api_new_password) && isset($this->api_current_password) && !empty($this->api_current_password)) {
            $this->change_password($this->api_current_password, $this->api_new_password);

This will fix the issue.


I have the same question: set or change user password using API.

The revisions go at the end of the fuctions, before the “return” code, right?

Did you change the content of the body? Do you still use user_hash or another attribute? The password sent will be as is, no more hashing?