diff --git a/src/web/api/server/v1/contexts/user/forms.rs b/src/web/api/server/v1/contexts/user/forms.rs
index 6365c4da..fdcfd0cb 100644
--- a/src/web/api/server/v1/contexts/user/forms.rs
+++ b/src/web/api/server/v1/contexts/user/forms.rs
@@ -22,3 +22,12 @@ pub struct LoginForm {
 pub struct JsonWebToken {
     pub token: String, // // todo: rename to `encoded` or `value`
 }
+
+// Profile
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct ChangePasswordForm {
+    pub password: String,
+    pub new_password: String,
+    pub confirm_password: String,
+}
diff --git a/src/web/api/server/v1/contexts/user/handlers.rs b/src/web/api/server/v1/contexts/user/handlers.rs
index 58326e9d..e6b36ae5 100644
--- a/src/web/api/server/v1/contexts/user/handlers.rs
+++ b/src/web/api/server/v1/contexts/user/handlers.rs
@@ -7,9 +7,10 @@ use axum::response::{IntoResponse, Response};
 use axum::Json;
 use serde::Deserialize;
 
-use super::forms::{JsonWebToken, LoginForm, RegistrationForm};
+use super::forms::{ChangePasswordForm, JsonWebToken, LoginForm, RegistrationForm};
 use super::responses::{self};
 use crate::common::AppData;
+use crate::errors::ServiceError;
 use crate::web::api::server::v1::extractors::user_id::ExtractLoggedInUser;
 use crate::web::api::server::v1::responses::OkResponseData;
 
@@ -123,6 +124,24 @@ pub async fn renew_token_handler(
     }
 }
 
+/// It changes the user's password.
+///
+/// # Errors
+///
+/// It returns an error if:
+///
+/// - The user account is not found.
+#[allow(clippy::unused_async)]
+pub async fn change_password_handler(
+    State(_app_data): State<Arc<AppData>>,
+    extract::Json(change_password_form): extract::Json<ChangePasswordForm>,
+) -> Response {
+
+    println!("change pass form: {change_password_form:#?}");
+
+    ServiceError::AccountNotFound.into_response()
+}
+
 /// It bans a user from the index.
 ///
 /// # Errors
diff --git a/src/web/api/server/v1/contexts/user/routes.rs b/src/web/api/server/v1/contexts/user/routes.rs
index 04ae9980..9daabc18 100644
--- a/src/web/api/server/v1/contexts/user/routes.rs
+++ b/src/web/api/server/v1/contexts/user/routes.rs
@@ -7,7 +7,8 @@ use axum::routing::{delete, get, post};
 use axum::Router;
 
 use super::handlers::{
-    ban_handler, email_verification_handler, login_handler, registration_handler, renew_token_handler, verify_token_handler,
+    ban_handler, change_password_handler, email_verification_handler, login_handler, registration_handler, renew_token_handler,
+    verify_token_handler,
 };
 use crate::common::AppData;
 
@@ -28,6 +29,11 @@ pub fn router(app_data: Arc<AppData>) -> Router {
         .route("/login", post(login_handler).with_state(app_data.clone()))
         .route("/token/verify", post(verify_token_handler).with_state(app_data.clone()))
         .route("/token/renew", post(renew_token_handler).with_state(app_data.clone()))
+        // Profile
+        .route(
+            "/:user/change-password",
+            post(change_password_handler).with_state(app_data.clone()),
+        )
         // User ban
         // code-review: should not this be a POST method? We add the user to the blacklist. We do not delete the user.
         .route("/ban/:user", delete(ban_handler).with_state(app_data))