firebase · SelaseKay · May 19, 2026
diff --git a/docs/auth/manage-users.md b/docs/auth/manage-users.md
@@ -162,6 +162,11 @@ await FirebaseAuth.instance
     .sendPasswordResetEmail(email: "user@example.com");
 ```
 
+Note: If
+[email enumeration protection](https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection)
+is enabled for your Firebase project, `sendPasswordResetEmail()` may complete
+without throwing an error even when the email address is not registered. This is
+expected Firebase Auth behavior to prevent revealing whether an email exists.
 You can customize the email template that is used in Authentication section of
 the [Firebase console](https://console.firebase.google.com/), on the Email Templates page.
 See [Email Templates](https://support.google.com/firebase/answer/7000714) in

diff --git a/packages/firebase_auth/firebase_auth/lib/src/firebase_auth.dart b/packages/firebase_auth/firebase_auth/lib/src/firebase_auth.dart
@@ -297,6 +297,10 @@ class FirebaseAuth extends FirebasePluginPlatform implements FirebaseService {
   /// To complete the password reset, call [confirmPasswordReset] with the code supplied
   /// in the email sent to the user, along with the new password specified by the user.
   ///
+  /// If email enumeration protection is enabled for the Firebase project, this
+  /// method may complete successfully even when the email does not correspond
+  /// to an existing user.
+  ///
   /// May throw a [FirebaseAuthException] with the following error codes:
   ///
   /// - **auth/invalid-email**\
@@ -312,7 +316,8 @@ class FirebaseAuth extends FirebasePluginPlatform implements FirebaseService {
   /// - **auth/unauthorized-continue-uri**\
   ///   The domain of the continue URL is not whitelisted. Whitelist the domain in the Firebase console.
   /// - **auth/user-not-found**\
-  ///   Thrown if there is no user corresponding to the email address. Note: This exception is no longer thrown when enabling email enumeration protection.
+  ///   Thrown if there is no user corresponding to the email address. Note: This
+  ///   exception is not thrown when email enumeration protection is enabled.
   Future<void> sendPasswordResetEmail({
     required String email,
     ActionCodeSettings? actionCodeSettings,

diff --git a/..._auth_platform_interface/lib/src/platform_interface/platform_interface_firebase_auth.dart b/..._auth_platform_interface/lib/src/platform_interface/platform_interface_firebase_auth.dart
@@ -313,8 +313,12 @@ abstract class FirebaseAuthPlatform extends PlatformInterface {
   }
 
   /// Triggers the Firebase Authentication backend to send a password-reset
-  /// email to the given email address, which must correspond to an existing
-  /// user of your app.
+  /// email to the given email address.
+  ///
+  /// If email enumeration protection is enabled for the Firebase project, this
+  /// method may complete successfully even when the email does not correspond
+  /// to an existing user. This prevents apps from using password reset requests
+  /// to discover registered email addresses.
   Future<void> sendPasswordResetEmail(
     String email, [
     ActionCodeSettings? actionCodeSettings,