diff --git a/test/api/v3/integration/user/auth/POST-auth_reset-password-set-new-one.js b/test/api/v3/integration/user/auth/POST-auth_reset-password-set-new-one.js
index 472872988d..25ae9e7c5d 100644
--- a/test/api/v3/integration/user/auth/POST-auth_reset-password-set-new-one.js
+++ b/test/api/v3/integration/user/auth/POST-auth_reset-password-set-new-one.js
@@ -238,6 +238,28 @@ describe('POST /user/auth/reset-password-set-new-one', () => {
     expect(isPassValid).to.equal(true);
   });
 
+  it('changes the apiToken on password reset', async () => {
+    const user = await generateUser();
+    const previousToken = user.apiToken;
+
+    const code = encrypt(JSON.stringify({
+      userId: user._id,
+      expiresAt: moment().add({ days: 1 }),
+    }));
+    await user.updateOne({
+      'auth.local.passwordResetCode': code,
+    });
+
+    await api.post(`${endpoint}`, {
+      newPassword: 'my new password',
+      confirmPassword: 'my new password',
+      code,
+    });
+
+    await user.sync();
+    expect(user.apiToken).to.not.eql(previousToken);
+  });
+
   it('renders the success page and convert the password from sha1 to bcrypt', async () => {
     const user = await generateUser();
 
diff --git a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
index 916e377a7f..6b764d7e1b 100644
--- a/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
+++ b/test/api/v3/integration/user/auth/PUT-user_update_password.test.js
@@ -27,11 +27,30 @@ describe('PUT /user/auth/update-password', async () => {
       newPassword,
       confirmPassword: newPassword,
     });
-    expect(response).to.eql({});
+
+    expect(response).to.exist;
+    expect(response.apiToken).to.exist;
+
     await user.sync();
     expect(user.auth.local.hashed_password).to.not.eql(previousHashedPassword);
   });
 
+  it('should change the apiToken on password change', async () => {
+    const previousToken = user.apiToken;
+    const response = await user.put(ENDPOINT, {
+      password,
+      newPassword,
+      confirmPassword: newPassword,
+    });
+
+    const newToken = response.apiToken;
+    expect(newToken).to.exist;
+
+    await user.sync();
+    expect(user.apiToken).to.eql(newToken);
+    expect(user.apiToken).to.not.eql(previousToken);
+  });
+
   it('returns an error when confirmPassword does not match newPassword', async () => {
     await expect(user.put(ENDPOINT, {
       password,
diff --git a/website/client/src/app.vue b/website/client/src/app.vue
index 2b1215b6df..839b297e0a 100644
--- a/website/client/src/app.vue
+++ b/website/client/src/app.vue
@@ -111,6 +111,7 @@ import axios from 'axios';
 import * as Analytics from '@/libs/analytics';
 import { mapState } from '@/libs/store';
 import snackbars from '@/components/snackbars/notifications';
+import { LOCALSTORAGE_AUTH_KEY } from '@/libs/auth';
 
 const COMMUNITY_MANAGER_EMAIL = import.meta.env.EMAILS_COMMUNITY_MANAGER_EMAIL;
 
@@ -280,7 +281,7 @@ export default {
       this.loading = false;
     },
     checkForBannedUser (error) {
-      const AUTH_SETTINGS = localStorage.getItem('habit-mobile-settings');
+      const AUTH_SETTINGS = localStorage.getItem(LOCALSTORAGE_AUTH_KEY);
       const parseSettings = JSON.parse(AUTH_SETTINGS);
       const errorMessage = error.response.data.message;
 
diff --git a/website/client/src/components/bannedAccountModal.vue b/website/client/src/components/bannedAccountModal.vue
index 7825605a06..3d77931247 100644
--- a/website/client/src/components/bannedAccountModal.vue
+++ b/website/client/src/components/bannedAccountModal.vue
@@ -30,6 +30,7 @@
 
 <script>
 import markdownDirective from '@/directives/markdown';
+import { LOCALSTORAGE_AUTH_KEY } from '@/libs/auth';
 
 const COMMUNITY_MANAGER_EMAIL = import.meta.env.EMAILS_COMMUNITY_MANAGER_EMAIL; // eslint-disable-line
 
@@ -39,7 +40,7 @@ export default {
   },
   computed: {
     bannedMessage () {
-      const AUTH_SETTINGS = localStorage.getItem('habit-mobile-settings');
+      const AUTH_SETTINGS = localStorage.getItem(LOCALSTORAGE_AUTH_KEY);
       const parseSettings = JSON.parse(AUTH_SETTINGS);
       const userId = parseSettings ? parseSettings.auth.apiId : '';
 
diff --git a/website/client/src/libs/auth.js b/website/client/src/libs/auth.js
index 6f15394ff0..f5dfe267be 100644
--- a/website/client/src/libs/auth.js
+++ b/website/client/src/libs/auth.js
@@ -1,9 +1,18 @@
 import axios from 'axios';
 import moment from 'moment';
 
+export const LOCALSTORAGE_AUTH_KEY = 'habit-mobile-settings';
+
+export function authAsCredentialsState (authObject) {
+  return {
+    API_ID: authObject.auth.apiId,
+    API_TOKEN: authObject.auth.apiToken,
+  };
+}
+
 export function setUpAxios (AUTH_SETTINGS) { // eslint-disable-line import/prefer-default-export
   if (!AUTH_SETTINGS) {
-    AUTH_SETTINGS = localStorage.getItem('habit-mobile-settings'); // eslint-disable-line no-param-reassign, max-len
+    AUTH_SETTINGS = localStorage.getItem(LOCALSTORAGE_AUTH_KEY); // eslint-disable-line no-param-reassign, max-len
     if (!AUTH_SETTINGS) return false;
     AUTH_SETTINGS = JSON.parse(AUTH_SETTINGS); // eslint-disable-line no-param-reassign
   }
diff --git a/website/client/src/libs/modform.js b/website/client/src/libs/modform.js
index 3f3f93ecbe..7cbd202cb8 100644
--- a/website/client/src/libs/modform.js
+++ b/website/client/src/libs/modform.js
@@ -1,6 +1,8 @@
+import { LOCALSTORAGE_AUTH_KEY } from '@/libs/auth';
+
 // @TODO: I have abstracted this in another PR. Use that function when merged
 function getApiKey () {
-  let AUTH_SETTINGS = localStorage.getItem('habit-mobile-settings');
+  let AUTH_SETTINGS = localStorage.getItem(LOCALSTORAGE_AUTH_KEY);
 
   if (AUTH_SETTINGS) {
     AUTH_SETTINGS = JSON.parse(AUTH_SETTINGS);
diff --git a/website/client/src/pages/settings/settingRows/passwordSetting.vue b/website/client/src/pages/settings/settingRows/passwordSetting.vue
index 009888c36e..706cf9204b 100644
--- a/website/client/src/pages/settings/settingRows/passwordSetting.vue
+++ b/website/client/src/pages/settings/settingRows/passwordSetting.vue
@@ -158,7 +158,14 @@ export default {
           confirmPassword: this.passwordUpdates.confirmPassword,
         };
 
-        await axios.put('/api/v4/user/auth/update-password', localAuthData);
+        const updatePasswordResult = await axios.put('/api/v4/user/auth/update-password', localAuthData);
+
+        const newToken = updatePasswordResult.data.data.apiToken;
+
+        this.$store.dispatch('auth:setNewToken', {
+          userId: this.user._id,
+          apiToken: newToken,
+        });
 
         this.passwordUpdates = {};
         this.$store.dispatch('snackbars:add', {
diff --git a/website/client/src/pages/user-main.vue b/website/client/src/pages/user-main.vue
index dd6dfd3e0c..be10255d30 100644
--- a/website/client/src/pages/user-main.vue
+++ b/website/client/src/pages/user-main.vue
@@ -147,8 +147,6 @@ import {
 const bugReportModal = () => import('@/components/bugReportModal');
 const bugReportSuccessModal = () => import('@/components/bugReportSuccessModal');
 
-const COMMUNITY_MANAGER_EMAIL = import.meta.env.EMAILS_COMMUNITY_MANAGER_EMAIL;
-
 export default {
   name: 'App',
   components: {
@@ -325,29 +323,6 @@ export default {
     if (loadingScreen) document.body.removeChild(loadingScreen);
   },
   methods: {
-    checkForBannedUser (error) {
-      const AUTH_SETTINGS = localStorage.getItem('habit-mobile-settings');
-      const parseSettings = JSON.parse(AUTH_SETTINGS);
-      const errorMessage = error.response.data.message;
-
-      // Case where user is not logged in
-      if (!parseSettings) {
-        return false;
-      }
-
-      const bannedMessage = this.$t('accountSuspended', {
-        communityManagerEmail: COMMUNITY_MANAGER_EMAIL,
-        userId: parseSettings.auth.apiId,
-      });
-
-      if (errorMessage !== bannedMessage) return false;
-
-      this.$store.dispatch('auth:logout', { redirectToLogin: true });
-      return true;
-    },
-    itemSelected (item) {
-      this.selectedItemToBuy = item;
-    },
     genericPurchase (item) {
       if (!item) return false;
 
diff --git a/website/client/src/store/actions/auth.js b/website/client/src/store/actions/auth.js
index 2d5a352316..a9f270d160 100644
--- a/website/client/src/store/actions/auth.js
+++ b/website/client/src/store/actions/auth.js
@@ -1,6 +1,20 @@
 import axios from 'axios';
+import { authAsCredentialsState, LOCALSTORAGE_AUTH_KEY } from '@/libs/auth';
 
-const LOCALSTORAGE_AUTH_KEY = 'habit-mobile-settings';
+function saveLocalDataAuth (store, apiId, apiToken) {
+  const credentialsObj = {
+    auth: {
+      apiId,
+      apiToken,
+    },
+  };
+
+  const userLocalData = JSON.stringify(credentialsObj);
+
+  localStorage.setItem(LOCALSTORAGE_AUTH_KEY, userLocalData);
+
+  store.state.credentials = authAsCredentialsState(credentialsObj);
+}
 
 export async function register (store, params) {
   let url = '/api/v4/user/auth/local/register';
@@ -16,13 +30,7 @@ export async function register (store, params) {
 
   const user = result.data.data;
 
-  const userLocalData = JSON.stringify({
-    auth: {
-      apiId: user._id,
-      apiToken: user.apiToken,
-    },
-  });
-  localStorage.setItem(LOCALSTORAGE_AUTH_KEY, userLocalData);
+  saveLocalDataAuth(store, user.id, user.apiToken);
 }
 
 export async function login (store, params) {
@@ -35,14 +43,7 @@ export async function login (store, params) {
 
   const user = result.data.data;
 
-  const userLocalData = JSON.stringify({
-    auth: {
-      apiId: user.id,
-      apiToken: user.apiToken,
-    },
-  });
-
-  localStorage.setItem(LOCALSTORAGE_AUTH_KEY, userLocalData);
+  saveLocalDataAuth(store, user.id, user.apiToken);
 }
 
 export async function verifyUsername (store, params) {
@@ -72,14 +73,7 @@ export async function socialAuth (store, params) {
 
   const user = result.data.data;
 
-  const userLocalData = JSON.stringify({
-    auth: {
-      apiId: user.id,
-      apiToken: user.apiToken,
-    },
-  });
-
-  localStorage.setItem(LOCALSTORAGE_AUTH_KEY, userLocalData);
+  saveLocalDataAuth(store, user.id, user.apiToken);
 }
 
 export async function appleAuth (store, params) {
@@ -93,14 +87,7 @@ export async function appleAuth (store, params) {
 
   const user = result.data.data;
 
-  const userLocalData = JSON.stringify({
-    auth: {
-      apiId: user.id,
-      apiToken: user.apiToken,
-    },
-  });
-
-  localStorage.setItem(LOCALSTORAGE_AUTH_KEY, userLocalData);
+  saveLocalDataAuth(store, user.id, user.apiToken);
 }
 
 export function logout (store, options = {}) {
@@ -108,3 +95,7 @@ export function logout (store, options = {}) {
   const query = options.redirectToLogin === true ? '?redirectToLogin=true' : '';
   window.location.href = `/logout-server${query}`;
 }
+
+export function setNewToken (store, params) {
+  saveLocalDataAuth(store, params.userId, params.apiToken);
+}
diff --git a/website/client/src/store/index.js b/website/client/src/store/index.js
index 2212ec4cd4..86d791ed94 100644
--- a/website/client/src/store/index.js
+++ b/website/client/src/store/index.js
@@ -6,7 +6,7 @@ import { DAY_MAPPING } from '@/../../common/script/cron';
 import deepFreeze from '@/libs/deepFreeze';
 import Store from '@/libs/store';
 import { asyncResourceFactory } from '@/libs/asyncResource';
-import { setUpAxios } from '@/libs/auth';
+import { authAsCredentialsState, LOCALSTORAGE_AUTH_KEY, setUpAxios } from '@/libs/auth';
 
 import actions from './actions';
 import getters from './getters';
@@ -22,7 +22,7 @@ const browserTimezoneUtcOffset = moment().utcOffset();
 
 axios.defaults.headers.common['x-client'] = 'habitica-web';
 
-let AUTH_SETTINGS = window.localStorage.getItem('habit-mobile-settings');
+let AUTH_SETTINGS = window.localStorage.getItem(LOCALSTORAGE_AUTH_KEY);
 if (AUTH_SETTINGS) {
   AUTH_SETTINGS = JSON.parse(AUTH_SETTINGS);
   isUserLoggedIn = setUpAxios(AUTH_SETTINGS);
@@ -64,10 +64,7 @@ export default function clientStore () {
       // see https://github.com/HabitRPG/habitica/issues/9242
       notificationsRemoved: [],
       worldState: asyncResourceFactory(),
-      credentials: isUserLoggedIn ? {
-        API_ID: AUTH_SETTINGS.auth.apiId,
-        API_TOKEN: AUTH_SETTINGS.auth.apiToken,
-      } : {},
+      credentials: isUserLoggedIn ? authAsCredentialsState(AUTH_SETTINGS) : {},
       // store the timezone offset in case it's different than the one in
       // user.preferences.timezoneOffset and change it after the user is synced
       // in app.vue
diff --git a/website/common/locales/en/settings.json b/website/common/locales/en/settings.json
index 6cf2665eda..3b653e5a65 100644
--- a/website/common/locales/en/settings.json
+++ b/website/common/locales/en/settings.json
@@ -87,13 +87,12 @@
     "API": "API",
     "APICopied": "API token copied to clipboard.",
     "APITokenTitle": "API Token",
-    "APITokenDisclaimer": "<b>Your API Token is like a password; Do not share it publicly.</b> You may occasionally be asked for your User ID, but never post your API Token where others can see it, including on Github.<br><br><b>Note:</b> If you need a new API Token (e.g., if you accidentally shared it), email <a href='mailto:admin@habitica.com' target='_blank'>admin@habitica.com</a> with your User ID and current Token. Once it is reset you will need to re-authorize everything by logging out of the website and mobile app and by providing the new Token to any other Habitica tools that you use.",
+    "APITokenDisclaimer": "<b>Your API Token is like a password; Do not share it publicly.</b> You may occasionally be asked for your User ID, but never post your API Token where others can see it, including on Github.<br><br><b>If you need a new API Token</b>  (e.g., if you accidentally shared it), you can change your password to reset it. Once it is reset, you will need to log back in to any other devices you use Habitica on and provide the new API Token to third-party tools you may use.",
     "APIv3": "API v3",
     "APIText": "Copy these for use in third party applications. However, think of your API Token like a password, and do not share it publicly. You may occasionally be asked for your User ID, but never post your API Token where others can see it, including on Github.",
     "APIToken": "API Token (this is a password - see warning above!)",
     "showAPIToken": "Show API Token",
     "hideAPIToken": "Hide API Token",
-    "APITokenWarning": "If you need a new API Token (e.g., if you accidentally shared it), email <%= hrefTechAssistanceEmail %> with your User ID and current Token. Once it is reset you will need to re-authorize everything by logging out of the website and mobile app and by providing the new Token to any other Habitica tools that you use.",
     "thirdPartyApps": "Third Party Apps",
     "thirdPartyTools": "Find third party apps, extensions, and all kinds of other tools you can use with your account on the <a href='https://habitica.fandom.com/wiki/Extensions,_Add-Ons,_and_Customizations' target='_blank'>Habitica wiki</a>.",
     "resetDo": "Do it, reset my account!",
@@ -212,7 +211,7 @@
     "changeUsernameDisclaimer": "Your username is used for invitations, @mentions in chat, and messaging. It must be 1 to 20 characters, containing only letters a to z, numbers 0 to 9, hyphens, or underscores, and cannot include any inappropriate terms.",
     "changeEmailDisclaimer": "This is the email address that you use to log in to Habitica, as well as receive notifications.",
     "changeDisplayNameDisclaimer": "This is the name that will be displayed for your Avatar in Habitica.",
-    "changePasswordDisclaimer": "Password must be 8 characters or more. We recommend a strong password that you're not using elsewhere.",
+    "changePasswordDisclaimer": "Passwords must be 8 characters or more. Changing your password will log you out of any other devices and third-party tools you may use.",
     "dateFormatDisclaimer": "Adjust the date formatting across Habitica.",
     "verifyUsernameVeteranPet": "One of these Veteran Pets will be waiting for you after you've finished confirming!",
     "enableAudio": "Enable Audio",
diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js
index 9700ddfe1a..22530d0a55 100644
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -271,7 +271,7 @@ api.updateUsername = {
  * @apiParam (Body) {String} newPassword The new password
  * @apiParam (Body) {String} confirmPassword New password confirmation
  *
- * @apiSuccess {Object} data An empty object
+ * @apiSuccess {String} data.apiToken The new apiToken
  * */
 api.updatePassword = {
   method: 'PUT',
@@ -316,9 +316,14 @@ api.updatePassword = {
 
     // set new password and make sure it's using bcrypt for hashing
     await passwordUtils.convertToBcrypt(user, newPassword);
+
+    user.apiToken = common.uuid();
+
     await user.save();
 
-    res.respond(200, {});
+    res.respond(200, {
+      apiToken: user.apiToken,
+    });
   },
 };
 
@@ -350,6 +355,7 @@ api.resetPassword = {
       { 'auth.local.email': email }, // Prefer to reset password for local auth
       { auth: 1 },
     ).exec();
+
     if (!user) { // If no local auth with that email...
       const potentialUsers = await User.find(
         {
@@ -486,6 +492,9 @@ api.resetPasswordSetNewOne = {
     await passwordUtils.convertToBcrypt(user, String(newPassword));
     user.auth.local.passwordResetCode = undefined; // Reset saved password reset code
     if (!user.auth.local.email) user.auth.local.email = await socialEmailToLocal(user);
+
+    user.apiToken = common.uuid();
+
     await user.save();
 
     return res.respond(200, {}, res.t('passwordChangeSuccess'));