E-commerce
July 1, 2026
"The bot gave me the reset link in the chat." "The AI changed my password without verifying my identity." "The chatbot offers a reset even tho I have a passwordless account." Three failures where a miscalibrated reset bot bypasses auth security.
A password reset AI chatbot for e-commerce does not replace PWRESET agents (#845). It reads PWRESET-MAP, lists spam and password rules, routes to passwordless #837, and hands off the reset request to humans without pasting the reset URL or executing the admin reset API.
This guide #846 covers intents bot_pwreset_*, flow PWRESETbot, and KPI pwreset_bot. Runs in tandem with the PWRESET playbook (#845). AI use case: guiding tier 1 reset without bypassing security.
Summary
Why automate the password reset guide with a bot?
"Forgot password", "missing reset email", "expired link" land on the login page and widget. A calibrated bot reads PWRESET-MAP, guides on spam and rules, without NO-LINK-EXPOSE violation.
What the bot resolves in tier 1 reset
Guide on spam: spam_copy inbox map
Explain link TTL: link_ttl_copy single-use map
Cite password rules: rules_copy complexity map
Route passwordless: passwordless_route_copy #837 map
Support handoff: #845 payload pwreset_* resend admin
PWRESETbot vs PWRESET #845, MAGICLINKbot #838, LOGIN #294 and anti-hallucination #123
Seven pieces of content, seven distinct auth reset paths.
Quick Matrix
#846 PWRESETbot: tier 1 bot guides legacy handoff reset without link
#845 PWRESET: agents resend reset PR-5 ID check admin
MAGICLINKbot #838: distinct passwordless classic reset
MAGICLINK #837: new accounts not PW reset
LOGIN #294: global login login_pwd_reset_fail tag
TWOFACTbot #840: 2FA post-reset distinct email reset
Anti-hallucination #123: policy map whitelist do not invent reset
Pipeline: #846 bot guides tier 1 → #845 agents execute PR-5 secure reset resend.
Which bot_pwreset_* intents should be configured?
Eight bot reset intents mapped to typologies pwreset_* #845.
Eight bot_pwreset intents
bot_pwreset_spam: spam_copy spam map
bot_pwreset_not_received: spam then handoff resend map
bot_pwreset_link_expired: link_ttl_copy handoff resend map
bot_pwreset_rules: rules_copy complexity example map
bot_pwreset_passwordless_reroute: passwordless_route_copy MAGICLINK837
bot_pwreset_no_account: no_account_copy create account map
bot_pwreset_locked: locked_copy waiting for unlock map
bot_pwreset_handoff: resend admin → PWRESET845-HANDOFF-BOT
Resend reset admin → human handoff PR-5 only. Bot guide explain only.
How should PWRESET-MAP #845 be used?
The bot reads PWRESET-MAP #845: pwreset_program_id, spam_copy, link_ttl_copy, rules_copy, passwordless_route_copy, no_account_copy, locked_copy, resend_handoff_copy, auth_type_matrix_copy, ttl_minutes_copy.
Sensitive Reset Guardrails
PWRESET-MAP-GROUNDED-BOT: reset response from map only
PWRESET-NO-LINK-EXPOSE-BOT: never expose reset URL in chat
NO-RESEND-EXECUTE-BOT: do not trigger reset email via bot API
NO-ADMIN-RESET-BOT: no forced password reset by bot
PASSWORDLESS837-REROUTE-BOT: new accounts → #837 distinct PW reset
PWRESET845-HANDOFF-BOT: resend execute → #845 agents PR-5
PWRESETBOT-SUP Policy in Six Rules
Six rules for responsible bot reset.
PWRESET-MAP-GROUNDED-BOT: reset guide from map only
AUTH-TYPE-CHECK-BOT: legacy vs passwordless before reset guide
PWRESET-NO-LINK-EXPOSE-BOT: zero reset URL in chat
NO-RESEND-EXECUTE-BOT: human reset resend #845 only
RULES-CITE-BOT: rules_copy verbatim if rules_fail
NO-ADMIN-RESET-BOT: admin forced reset handoff ID check only
Flow PWRESETbot PRB-1 to PRB-8
Flow eight steps bot reset embed page forgot password widget.
PRB-1 Classify : bot_pwreset_* detect keyword forgot password reset email
PRB-2 Auth type : legacy vs passwordless before reset branch
PRB-3 PWRESET-MAP : spam link_ttl rules passwordless handoff
PRB-4 Explain : TPL-PWRESETbot-SPAM or RULES depending on intent
PRB-5 Guardrail : MAP-GROUNDED NO-LINK-EXPOSE NO-RESEND NO-ADMIN-RESET
PRB-6 Respond : TPL-PWRESETbot max 3 sentences grounded
PRB-7 Handoff or close : #845 payload or close self-service OK
PRB-8 Log : intent link_blocked passwordless_routed handoff Y/N
Example TPL-PWRESETbot-SPAM
" [spam_copy map.] If missing after 2 min: agent handoff. [link_ttl_copy map.] NO-LINK-EXPOSE-BOT. "
TPL-PWRESETbot templates and touchpoints
Four short login embed reset templates.
TPL-PWRESETbot-SPAM
[spam_copy map.] NO-RESEND-EXECUTE-BOT. PWRESET-MAP-GROUNDED-BOT.
TPL-PWRESETbot-TTL
[link_ttl_copy map.] New link: handoff agent. PWRESET845-HANDOFF-BOT.
TPL-PWRESETbot-RULES
[rules_copy map.] RULES-CITE-BOT verbatim.
TPL-PWRESETbot-PASSWORDLESS
[passwordless_route_copy map.] PASSWORDLESS837-REROUTE-BOT.
Touchpoints
Forgot password page: bot_pwreset_not_received instant
Expired link keyword: bot_pwreset_link_expired trigger
Password rejected keyword: bot_pwreset_rules proactive
No password keyword: bot_pwreset_passwordless_reroute
Edge cases and reroutes
Five cases outside tier 1 bot reset standard.
New Shopify accounts: PASSWORDLESS837-REROUTE no password reset
Customer requests chat reset link: NO-LINK-EXPOSE handoff #845
2FA blocked after reset: TWOFACTbot #840 reroute
Confuses reset and order confirmation: CONFEMAIL358 reroute
Magic link not reset: MAGICLINKbot #838 distinct
Essential pwreset_bot KPIs
Five PWRESETbot steering metrics, security included.
pwreset_bot_clarity_deflect: closed resolved without agent repeat 7d
pwreset_bot_link_expose_violations: URL reset chat audit target 0
pwreset_bot_passwordless_route_rate: % new accounts routed #837
pwreset_bot_rules_cite_rate: RULES-CITE if rules_fail
pwreset_bot_handoff_rate: escalate #845 / total reset bot
Target: pwreset_bot_link_expose_violations 0 and pwreset_bot_passwordless_route_rate 100% if detected.
PWRESETbot anti-patterns
Five common errors for password reset bot.
Paste reset URL chat: NO-LINK-EXPOSE-BOT handoff #845
Trigger reset email API: NO-RESEND-EXECUTE human PR-5
Reset admin without ID check: NO-ADMIN-RESET-BOT handoff only
Offer reset on passwordless: PASSWORDLESS837 reroute first
Invent password rules: RULES-CITE map verbatim only
PWRESETbot with Qstomy
Qstomy on Shopify: detect bot_pwreset intent forgot password, PWRESET-MAP RAG grounded, NO-LINK-EXPOSE guardrail, enriched handoff #845 tier 2.
Pipeline: #846 bot guider tier 1 → #845 agents execute reset resend PR-5.
Explore AI support and request a demo.
Checklist, FAQ and going further
PWRESETbot Checklist (8 steps)
Sync PWRESET-MAP #845: RAG bot reset embed page forgotten
Policy PWRESETBOT-SUP: 6 rules NO-LINK-EXPOSE NO-RESEND NO-ADMIN-RESET
8 intents bot_pwreset_*: flow PRB-1 to PRB-8
4 templates TPL-PWRESETbot-*: SPAM TTL RULES PASSWORDLESS
Block reset API write: bot read-only do not trigger reset email
Red team 20 prompts: ask for reset link, admin reset without ID
Forgot password proactive: bot_pwreset_not_received trigger page
Dashboard KPI: pwreset_bot_* section 9 link_expose_violations passwordless_route
FAQ
Difference #845?
#845 = agents resend reset ID check PR-5. #846 = bot guide tier 1 without link.
Does the bot resend the reset email?
No. NO-RESEND-EXECUTE-BOT. PWRESET845-HANDOFF humans PR-5.
Passwordless account?
bot_pwreset_passwordless_reroute TPL-PWRESETbot-PASSWORDLESS #837.
Password rejected?
bot_pwreset_rules TPL-PWRESETbot-RULES RULES-CITE verbatim.
Going Further
This week: deploy PWRESET-MAP RAG forgotten page embed, red team link_expose_violations audit, sync bot_pwreset_passwordless_reroute proactive scenario new accounts test.

Enzo
July 1, 2026





