password-reset

Password reset endpoints should reveal as little as possible about account existence. I return the same response for known and unknown emails, store only token digests, and invalidate tokens after first use. Small response details here prevent large i