Email Recovery

Setup

Email recovery lets players reset their password via a recovery code sent to their linked email.

email-recovery:
  enabled: true
  smtp:
    host: "smtp.gmail.com"
    port: 587
    username: "your-email@gmail.com"
    password: "app-password"
    from: "noreply@yourserver.com"
    tls: true
  code-expiry: 10    # minutes
  cooldown: 5        # minutes between requests

For Gmail, use an App Password (not your regular password). Enable 2-Step Verification in your Google account, then generate an app password at myaccount.google.com/apppasswords.

Player Flow

Link an email

/email set user@example.com

Must be authenticated. The email is stored in the xlogin_accounts table.

Recover password

  1. Player runs /recover <username>. XLogin sends a 6-digit code to the linked email.
  2. Player runs /recover <username> <code> <newpassword>. The code is validated and the password is reset.
  3. Player can now /login with the new password.

Codes are stored in memory (not database), expire after code-expiry minutes, and are single-use.

Two-Factor AuthenticationBedrock Support