diff --git a/packages/backend-core/src/cache/passwordReset.ts b/packages/backend-core/src/cache/passwordReset.ts
index 7f5a93f149..a19e99745a 100644
--- a/packages/backend-core/src/cache/passwordReset.ts
+++ b/packages/backend-core/src/cache/passwordReset.ts
@@ -1,6 +1,6 @@
 import * as redis from "../redis/init"
 import * as utils from "../utils"
-import { Duration, DurationType } from "../utils"
+import { Duration } from "../utils"
 
 const TTL_SECONDS = Duration.fromHours(1).toSeconds()
 
@@ -36,3 +36,12 @@ export async function getCode(code: string): Promise<PasswordReset> {
   }
   return value
 }
+
+/**
+ * Given a reset code this will invalidate it.
+ * @param code The code provided via the email link.
+ */
+export async function invalidateCode(code: string): Promise<void> {
+  const client = await redis.getPasswordResetClient()
+  await client.delete(code)
+}
diff --git a/packages/worker/src/sdk/auth/auth.ts b/packages/worker/src/sdk/auth/auth.ts
index 1f9da8a260..bdc5fc2366 100644
--- a/packages/worker/src/sdk/auth/auth.ts
+++ b/packages/worker/src/sdk/auth/auth.ts
@@ -79,6 +79,8 @@ export const resetUpdate = async (resetCode: string, password: string) => {
   user.password = password
   user = await userSdk.db.save(user)
 
+  await cache.passwordReset.invalidateCode(resetCode)
+
   // remove password from the user before sending events
   delete user.password
   await events.user.passwordReset(user)