diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a240f97670b7bb47322f4eedf6f0b2487a68e199..73a28606566a67ac7a0499a5b49075e4005c22ab 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -4,8 +4,6 @@ class ApplicationController < ActionController::API
 
   def render_jsonapi_response(resource)
     if resource.errors.empty?
-      puts "lol"
-      puts resource.email
       render jsonapi: resource
     else
       render jsonapi_errors: resource.errors, status: 400
diff --git a/app/controllers/auth_controller.rb b/app/controllers/auth_controller.rb
index a7ab6c6e4fe8afe12adb2f0c66ec263223a81118..9e49d9bcc81beb7e102cc6e95342e9d2166d5d00 100644
--- a/app/controllers/auth_controller.rb
+++ b/app/controllers/auth_controller.rb
@@ -6,25 +6,37 @@ class AuthController < ApplicationController
     end
 
     def auth_success
-        render json: { message: 'User Authenticated.'}
+        render json: { message: 'User Authenticated.'}, status: 200
     end
 
     def auth_fail
-        render json: { message: 'Failed to Authenticate User.'}
+        render json: { message: 'Failed to Authenticate User.'}, status: 401
     end
 
     def get_email
-        puts params
         ids = params["auth"]["ids"]
-        puts ids
         if authenticate_user!
             emails = []
             ids.each do |i|
                 emails.push(User.find_by(id: i).email)
             end 
-            render json: { emails: emails }
+            render json: { emails: emails }, status: 200
         else
             auth_fail
         end
     end
+
+    def password_reset_token
+        token, hashed_token = Devise.token_generator.generate(User, :reset_password_token)
+        user = User.find_by(email: params["email"])
+        if user == nil
+            render json: { error: "user not found" }, status: 404
+        else
+            user.reset_password_token = hashed_token
+            user.reset_password_sent_at = Time.now
+            user.save
+            render json: {token: token}, status: 200
+        end
+    end
+
 end
\ No newline at end of file
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..8964544c1638258ca0c30eb14e25fb0b2b6628e8
--- /dev/null
+++ b/app/controllers/passwords_controller.rb
@@ -0,0 +1,18 @@
+class PasswordsController < Devise::PasswordsController
+    def update
+        user = User.with_reset_password_token(params["reset_password_token"])
+        if user == nil
+            render json: {"message": "user not found"}, status: 404
+        else
+            if user.reset_password_sent_at + 2.hours > Time.now
+                user.reset_password(params["password"], params["password_confirmation"])
+                render json: {"message": "password changed"}, status: 200
+            else
+                render json: {"message": "password reset expired"}, status: 401
+
+            end
+
+        end
+
+    end
+end
\ No newline at end of file
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index 05ad1473888dfa5a4475e5cf7514b9cdf83da113..c885a2c1d49697822c4f1fbae04e038ae4ffbef3 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -6,5 +6,4 @@ class RegistrationsController < Devise::RegistrationsController
       sign_up(resource_name, resource) if resource.persisted?
       render_jsonapi_response(resource)
     end
-  
   end
\ No newline at end of file
diff --git a/app/models/user.rb b/app/models/user.rb
index 5f6a80061e49212514f7832e022cd01c86e2abf8..a00a7b409838046452ff156a2e3856c0f36adb19 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,7 +1,7 @@
 class User < ApplicationRecord
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
-  devise :database_authenticatable, :registerable,
+  devise :database_authenticatable, :registerable, :recoverable,
         :jwt_authenticatable, jwt_revocation_strategy: JwtDenylist
          
 end
diff --git a/config/routes.rb b/config/routes.rb
index 1ec2497bb26a99f2459126369f6865d2f46740d4..6e9a3e84e3a25e3b06bd263e73a0bfc1906d2eac 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,6 +6,7 @@ Rails.application.routes.draw do
 
   post 'auth', to: 'auth#access_check'
   post 'auth/email', to: 'auth#get_email'
+  post 'reset_password_token', to: 'auth#password_reset_token'
 
   devise_for :users,
     defaults: { format: :json },
@@ -20,5 +21,7 @@ Rails.application.routes.draw do
       registrations: 'registrations',
     }
 
-
+  devise_scope :user do
+    put 'reset_password', to: 'passwords#update'
+  end
 end