Here's how I'm going to do this. You post to http://.../users/{id}/login and the form data must contain exactly one parameter `cleartext_password`. If the value matches the stored, hashed password, an HTTP 204 (No Content) is returned. If they do not match, an HTTP 403 (Forbidden) is returned. There is no content body in either case, and thus the POST creates no addressable resource. The nice thing is that this will support hash migration as per passlib. ** Changed in: mailman Milestone: None => 3.0.0b3 ** Changed in: mailman Assignee: (unassigned) => Barry Warsaw (barry) ** Changed in: mailman Importance: Undecided => High ** Changed in: mailman Status: New => In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1065447 Title: Feature request: REST api to verify password To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1065447/+subscriptions