Expand description
Verification tokens — single-use, email-delivered random tokens that back password reset, email change, and magic-link sign-in.
All three flows share the same shape: server mints a long random
token, hashes it, emails the plaintext to the user, then consumes
the token on the verify endpoint. Same backend pattern as
crate::api_key: HMAC-SHA256 with a server pepper (NOT Argon2 —
these are 32-byte random secrets, not low-entropy passwords).
kind lets the verifier reject cross-purpose replay (a magic-link
token can’t be used as a password-reset token even if an attacker
intercepts both emails).