Forgot password sends out multiple emails and even though last received resetPasswordToken works it got 3 incorrect code errors

System Information
  • Strapi Version:
  • **Operating SystemCatalina:
  • **Databasemongodb(Atlas):
  • **Node Versionv12.20.2:
  • **NPM Version7.5.4:
  • **Yarn Version1.22.10:

I setup AWS SES plugins as follow

  email: {
provider: "amazon-ses",
providerOptions: {
  key: env("AWS_ACCESS_KEY_ID"),
  secret: env("AWS_ACCESS_SECRET"),
  amazon: `https://email.${env("AWS_REGION")}`,
settings: {
  defaultFrom: env("EMAIL_DEFAULT_FROM"),
  defaultReplyTo: env("EMAIL_DEFAULT_REPLY_TO"),


and I set up the forgot password and reset password according to the doc

when I hit the forgot password endpoint, it successfully sent out the reset-password url, with the privateCode, which is also visible on my mongodb user_permission_user collection for the targeted user.

However, this same email always sent out 4 times, and only the last received email has the correct code matching the one I see from my mongodb user_permission_user collection.

so, I went ahead to test the reset password endpoint with the code provided along with the new password and confirmed new password provided. when I make the call, everything works, the password is successfully updated (I confirmed with login from my UI and also verify from the strapi backend ui and database) as resetPasswordToken field in the user_permission_user collection become null which is an indication that the password has already been reset.

However, from my browser devtool, I still see 3 additional calls attempt after the successful call and they all got the same 400 error message. “Incorrect code provided.”. I am so confused as I have no idea why this is happening. Please give me some insight