I've drafted three approaches for the password reset token. Which one fits your security requirements?
1Single-use JWT signed with HS256, 15 min expiry2DB-stored opaque token, 1 hour expiry, revocable3Magic link only — no token, email-verified login4I'll explain the tradeoffs firstDismiss