Password Reset Token Issue

The SBA Application enables an end-user to reset or change a password using “Forgot Password” URL. End-user can change the password for security reasons or reset it if forgotten. The password reset URL contains a token with special characters. Some email clients will decode/encode it differently. As a result, the token is retrieved by the end-user can be different from the one in the SBA Application.  

Verify Token issue 

  1. Ask the end-user for the password reset URL 

  2. Check the URL contain any non-ASCII characters like %3d, %2a in the URL like the one below 


  4. Go to   

  5. Copy and paste the token ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe on the left box 

  6. Remove We at the end of the token “ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1Mn” 

  7. Click Decode URL 

  8. The decoded token will show on the right box ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn 

  9. Give the customer the correct token with the URL to reset the password 


  11. Confirm with the end-user if the password reset success or failure with the decoded token. 


Email Hosting companies create token issue are:  


  2. highway 


End-user requests password reset email. (User must have a valid email on SBA Certify) 

  1. Go to 

  2. Click Login (Blue button on the middle of the page)

  3. Click Forgot Your Password (Red Button) 

  4. Enter a valid email address and click send the instructions button in blue 

  5. End-user check his/her email

  6. Click the reset URL in the email to reset the password