Information Security

How to implement a secure password reset using a 6-digit numeric code?

Hello, friends.

There is a service that has a web interface and applications for Android and iOS.
There is a task to implement a password reset in such a way that the client does not go anywhere from the web or application.

That is, you need to refuse the link in the password reset email, replacing it with a 6-digit numeric code.

Resetting a password via a link has a minus, it needs to be implemented in the Deep Linking (Universal Linking) application, but I would like to make sure that the user does not leave the mobile application and it is convenient for him to reset the password when necessary.

Process: The
user enters the email they want to reset the password for.
There is a call to the API, which checks that an account with such an email exists.
If an account is found, a code is sent to the user by email and the user proceeds to the next screen, where he will be asked to enter the code from the letter and a new password twice.

Question:
What data, besides the 6-digit code and the new password, should be sent to the second API in order to implement a secure password reset?

Options:

1. Send email to this API as well?
   
2. Send a hash to this API that will return the first API in the response?