How this works
One-time-use, time-bound, and never tied to a single device.
- Reset tokens are SHA-256 hashed before storage.
- Tokens self-destruct after 15 minutes or first use.
- Resetting your password invalidates every existing session.
AES-256-GCM at rest · TLS 1.2+ in transit