tokens

Predictable tokens become account compromise. I use cryptographically secure randomness, store only token digests when possible, and keep token purpose and expiry specific. Reset tokens, magic links, and API secrets should all be treated like credenti