| Token | Purpose | Expiry |
|---|---|---|
| Password Reset | Forgot-password flow | 15 minutes (configurable) |
| Email Verification | OTP for email verification | 15 minutes (configurable) |
- Tokens are generated using
crypto.randomBytes(32)— 256-bit entropy - OTP codes use
crypto.randomInt()for 6-digit numeric codes
- Tokens are hashed (SHA-256) before storage in the database
- The raw token is sent to the user; only the hash is persisted
- This ensures that a database breach does not expose valid tokens
- The raw token from the user is hashed
- The hash is looked up in the database
- Expiry is checked
- If valid, the token is deleted (single-use)
- Single-use: Tokens are deleted after use
- Expiry: Tokens automatically expire (15 minutes default)
- Hashed storage: Database leak doesn't expose tokens
- High entropy: 256-bit randomness prevents guessing
- Rate limited: Token generation endpoints are rate-limited