Currently the password reset API only requires a username and does not support CAPTCHAs. Without CAPTCHA support it's fairly easy for a malicious party to spam legitimate users with password reset emails. I propose CAPTCHA support for password reset just like there's one for magic links and registrations.
Thank you for submitting this idea. I agree it would be good to protect the password reset flows with reCAPTCHA and we will consider adding this.
We are being spammed by bots requesting 300+ password resets on a brand new bot created accounts. 4 million+ password resets this year so far, and all are calling the Arc services directly which are not protected.