If you cannot log in to your Mastodon account because you forgot the password, you are locked out of posting, following, or reading your home timeline. Mastodon uses a standard email-based password reset flow, but the exact steps depend on whether you can still access the email address you registered with. This article explains the complete process to reset a Mastodon password, including what to do if the reset email does not arrive or if you lost access to your email account.
Key Takeaways: Resetting Your Mastodon Password
- Login page “Forgot password” link: Sends a password reset email to your registered address within a few minutes.
- Check spam and junk folders: The reset email may be filtered by your email provider if the instance uses a custom domain.
- Contact instance admin as a fallback: If you no longer have access to your email, only the server admin can manually reset the password.
How Mastodon Password Resets Work
Mastodon does not store passwords in plain text. It hashes and salts them using bcrypt, so neither the instance admin nor anyone else can see your original password. When you request a password reset, the Mastodon server generates a unique, time-limited token and sends it to the email address on file. The token is valid for approximately one hour. After you click the link in the email, you are prompted to enter a new password twice to confirm it.
The reset process relies entirely on your ability to receive email from the Mastodon instance. If the instance uses a custom domain such as social.example.com, the email may come from an address like noreply@social.example.com or notifications@social.example.com. Some email services treat these as suspicious and route them to spam.
When the Reset Email Does Not Arrive
Several factors can prevent the reset email from reaching your inbox. The instance may have a misconfigured mail server, or your email provider may block the message outright. If you use a free email service like Gmail or Outlook.com, check the spam folder first. If the email is not there, add the instance's sending domain to your contacts or safe senders list and request the reset again. If the email still does not arrive after 15 minutes, the instance mail server may be down. In that case, you must contact the instance admin directly.
Steps to Reset a Forgotten Mastodon Password
Follow these steps to regain access to your Mastodon account. You need access to the email address you used when signing up.
- Go to your Mastodon instance login page
Open a web browser and navigate to your instance URL, for example mastodon.social or mastodon.online. The login page shows fields for email and password. - Click the “Forgot password” link
Below the password field, click the link labeled Forgot password. The page changes to a form asking for your email address. - Enter your registered email address
Type the email address you used to create your Mastodon account. Click the Send me reset instructions button. Mastodon displays a confirmation message saying the email has been sent if the address exists in its database. - Check your email inbox
Open your email application. Look for a message from the Mastodon instance. The subject line is usually Reset password or Password reset instructions. If you do not see it within five minutes, check the spam or junk folder. - Click the reset link in the email
Open the email and click the button or link that says Reset password. The link directs you to a page on your Mastodon instance where you can set a new password. Do not use the link after one hour — it expires. - Enter and confirm your new password
Type a new password in the Password field. Mastodon requires a minimum of eight characters. Retype the same password in the Confirm password field. Click the Save changes button. - Log in with your new password
You are redirected to the login page. Enter your email address and the new password. Click Sign in. You now have full access to your account again.
If You Use Two-Factor Authentication
After resetting your password, Mastodon still requires your two-factor authentication code to complete the login. If you lost access to your authenticator app and did not save backup codes, you must contact the instance admin to disable two-factor authentication on your account. The admin can do this from the moderation panel under Administration > Users.
Common Problems When Resetting a Mastodon Password
Reset Email Never Arrives
If the reset email does not appear in any folder after 30 minutes, the instance mail server may be misconfigured or offline. Some smaller instances use free email relay services that have daily sending limits. When the limit is reached, the server stops sending emails. In this case, you cannot reset the password through the web form. Locate the instance admin email address, usually listed on the About page of the instance, and send a direct request for a manual password reset. Include your username and the email address on file.
You No Longer Have Access to the Registered Email
Mastodon does not offer a secondary recovery method such as security questions or a backup email. If you cannot receive emails at the registered address, the only option is to contact the instance admin. Provide proof of account ownership, such as a screenshot of a post you made or the exact date you created the account. The admin can update your email address and trigger a password reset from the server backend using the tootctl accounts modify command. This requires the admin to run a command-line tool, so response time may vary.
New Password Is Rejected
Mastodon enforces a minimum password length of eight characters. Some instances have additional policies, such as requiring at least one uppercase letter, one number, or one special character. If your new password is rejected, check the error message. It usually states the exact requirement. Try a longer password with a mix of character types. Avoid reusing a password you have used on other services.
Reset Link Expired
The reset link in the email is valid for one hour. If you click it after that time, Mastodon shows an error page saying the link is invalid or expired. Request a new reset by repeating the steps from the login page. You do not need to wait between attempts.
Mastodon Password Reset vs Admin Reset
| Item | Self-Service Reset via Email | Admin-Initiated Reset |
|---|---|---|
| Who can perform it | Any user with email access | Instance admin with server shell access |
| Time required | 5 to 15 minutes | Hours to days depending on admin response |
| Requires email access | Yes | No admin can update email first |
| Requires admin intervention | No | Yes |
| Password strength enforced | Minimum 8 characters | Same policy enforced by server |
After you successfully reset your password, log in and verify that your profile, followers, and posts are intact. If you use a password manager, save the new credentials immediately. Consider enabling two-factor authentication in Preferences > Account > Two-factor Authentication to prevent future lockouts. As a best practice, periodically export your backup codes and store them in a secure location separate from your password manager.