...
A password lifetime (in days) may be specified, in which case authentication will fail after the password has expired. Changing or resetting the password before it expires resets the password lifetime. After a password has expired it is no longer possible to change the password through the REST API - the password must be reset, by making a forgotten password request.
When requests are made to endpoint 2001: Authenticate and a password lifetime is defined, the password expiry date is returned as response header PasswordExpires
.
Password history
When password history is enabled, a history size (number of previous passwords) is specified, and users are prevented from changing their password to anything that has previously been used within this history size. When password hashing is enabled, this password history contains the hashes of previous passwords.
...