Shopify customer password change form redirects to invalid token page

Bob_Clever · June 22, 2025, 7:22am

I’m having trouble with a custom password change form I built for logged-in customers on my Shopify store. The form appears on the /account page where customers can update their passwords after logging in.

The issue is that when customers submit the form, they get redirected to /account/invalid_token instead of successfully changing their password. This is confusing because the password reset works perfectly fine when customers use the standard email recovery process.

Here’s my current form code:

{% form 'customer_password' %}
    <h3>Update Your Password</h3>
    {% if form.errors %}
        <div class="error-message">
            {% include 'icon-warning' %} {{ form.errors | default_errors }}
        </div>
    {% endif %}
    
    <div class="input-group">
        <input type="password" 
               id="new_password" 
               name="customer[password]" 
               placeholder="{{ 'customer.account.new_password' | t }}" 
               required />
    </div>
    
    <div class="input-group">
        <input type="password" 
               id="confirm_password" 
               name="customer[password_confirmation]" 
               placeholder="{{ 'customer.account.confirm_password' | t }}" 
               required />
    </div>
    
    <div class="submit-group">
        <input type="submit" value="Update Password" class="btn-primary" />
    </div>
{% endform %}

What am I doing wrong with this form setup? How can I properly handle password changes for already authenticated customers?

sarahj · July 3, 2025, 7:39am

Yeah, this is how Shopify’s password form works by design. Even when customers are already logged in, Shopify still makes them verify through email for security - it won’t process the change right away. You’re getting that /account/invalid_token redirect because the password form needs a token from the email link. Since your customers are already logged in, you need a different approach. I’d build a custom form that asks for their current password plus the new one. Then use Shopify’s Customer API or a custom app to verify their current credentials and update the password. This skips the whole email verification dance while keeping things secure.