diff --git a/src/Controllers/UserController.js b/src/Controllers/UserController.js
index 5970c435..0f19e704 100644
--- a/src/Controllers/UserController.js
+++ b/src/Controllers/UserController.js
@@ -9,15 +9,6 @@ var RestQuery = require('../RestQuery');
 var Auth = require('../Auth');
 
 export class UserController extends AdaptableController {
-  // Add token delete operations to a rest update object
-  static addClearPasswordResetTokenToRestObject(restObject) {
-    const addOps = {
-      _perishable_token: { __op: 'Delete' },
-      _perishable_token_expires_at: { __op: 'Delete' },
-    };
-    return Object.assign({}, restObject, addOps);
-  }
-
   constructor(adapter, appId, options = {}) {
     super(adapter, appId, options);
   }
@@ -305,7 +296,7 @@ function updateUserPassword(userId, password, config) {
     Auth.master(config),
     '_User',
     { objectId: userId },
-    UserController.addClearPasswordResetTokenToRestObject({ password })
+    { password: password }
   );
 }
 
diff --git a/src/RestWrite.js b/src/RestWrite.js
index 59d77356..c8e71d56 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -95,6 +95,9 @@ RestWrite.prototype.execute = function() {
     .then(() => {
       return this.runBeforeTrigger();
     })
+    .then(() => {
+      return this.deleteEmailRestTokenIfNeeded();
+    })
     .then(() => {
       return this.validateSchema();
     })
@@ -745,6 +748,22 @@ RestWrite.prototype.createSessionToken = function() {
   return createSession();
 };
 
+// Delete email reset tokens if user is changing password or email.
+RestWrite.prototype.deleteEmailRestTokenIfNeeded = function() {
+  if (this.className !== '_User' || this.query === null) {
+    // null query means create
+    return;
+  }
+
+  if ('password' in this.data || 'email' in this.data) {
+    const addOps = {
+      _perishable_token: { __op: 'Delete' },
+      _perishable_token_expires_at: { __op: 'Delete' },
+    };
+    this.data = Object.assign(this.data, addOps);
+  }
+};
+
 RestWrite.prototype.destroyDuplicatedSessions = function() {
   // Only for _Session, and at creation time
   if (this.className != '_Session' || this.query) {
diff --git a/src/Routers/ClassesRouter.js b/src/Routers/ClassesRouter.js
index 93ba78db..b4269c05 100644
--- a/src/Routers/ClassesRouter.js
+++ b/src/Routers/ClassesRouter.js
@@ -105,27 +105,14 @@ export class ClassesRouter extends PromiseRouter {
     );
   }
 
-  // always clear password reset token on email address change
-  beforeUpdate(req) {
-    const { body } = req;
-    if (this.className(req) === '_User' && 'email' in body) {
-      const { userController } = req.config;
-      return userController.constructor.addClearPasswordResetTokenToRestObject(
-        body
-      );
-    }
-    return body;
-  }
-
   handleUpdate(req) {
-    const body = this.beforeUpdate(req);
     const where = { objectId: req.params.objectId };
     return rest.update(
       req.config,
       req.auth,
       this.className(req),
       where,
-      body,
+      req.body,
       req.info.clientSDK
     );
   }