diff --git a/src/Host/Controllers/Identity/UsersController.cs b/src/Host/Controllers/Identity/UsersController.cs
index fd8a594bf..2ca9e92db 100644
--- a/src/Host/Controllers/Identity/UsersController.cs
+++ b/src/Host/Controllers/Identity/UsersController.cs
@@ -110,6 +110,8 @@ public Task<string> ForgotPasswordAsync(ForgotPasswordRequest request)
     }
 
     [HttpPost("reset-password")]
+    [AllowAnonymous]
+    [TenantIdHeader]
     [OpenApiOperation("Reset a user's password.", "")]
     [ApiConventionMethod(typeof(FSHApiConventions), nameof(FSHApiConventions.Register))]
     public Task<string> ResetPasswordAsync(ResetPasswordRequest request)
diff --git a/src/Infrastructure/Identity/UserService.Password.cs b/src/Infrastructure/Identity/UserService.Password.cs
index 20d3a7dc5..b30a2eb1b 100644
--- a/src/Infrastructure/Identity/UserService.Password.cs
+++ b/src/Infrastructure/Identity/UserService.Password.cs
@@ -21,7 +21,7 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
         // For more information on how to enable account confirmation and password reset please
         // visit https://go.microsoft.com/fwlink/?LinkID=532713
         string code = await _userManager.GeneratePasswordResetTokenAsync(user);
-        const string route = "account/reset-password";
+        const string route = $"api/users/reset-password";
         var endpointUri = new Uri(string.Concat($"{origin}/", route));
         string passwordResetUrl = QueryHelpers.AddQueryString(endpointUri.ToString(), "Token", code);
         var mailRequest = new MailRequest(
@@ -35,6 +35,8 @@ public async Task<string> ForgotPasswordAsync(ForgotPasswordRequest request, str
 
     public async Task<string> ResetPasswordAsync(ResetPasswordRequest request)
     {
+        EnsureValidTenant();
+
         var user = await _userManager.FindByEmailAsync(request.Email?.Normalize());
 
         // Don't reveal that the user does not exist