After using /account/reset, clients should immediately perform the login protocol from above. If the old password was forgotten, this is necessary to fetch kA. In either case, a new sessionToken is required, since old sessions and tokens are revoked by /account/reset. Clients should retain the new srpPassword value during this process to avoid needing to run the lengthy key-stretching routine a second time.
= Deleting The Account =
When the user wishes to completely delete their account, the browser needs to perform two actions:
* contact the storage servers and delete all records and collections
* contact the keyserver and delete the account information
The user should be prompted for their password as confirmation (i.e. a browser in the normal attached-and-synchronizing state should not be able to erase the account information: it must acquire a new authToken first).
The device then obtains an authToken as described above, then spends it on a HAWK-protected request to the /account/delete endpoint. This request contains no body and returns only a success code.
[[File:PICL-IdPAuth-deleteAccount.png|Deleting the Account]]
= Crypto Notes =