The Public Boundary
Internal Identifiers Were Never Meant to Leave the System
A User ID Is Not a Safe Link
When a user requests a password reset, your application sends them a link.
That link carries enough information to identify the request when the user returns — but it cannot carry the user's internal ID.
Exposing internal identifiers in email links or URL parameters is a known vulnerability class: insecure direct object reference.
The Tokens Api closes that exposure by placing an opaque token in the link instead.
Application-Defined Context
Every token carries an owner identifier and a type — both defined by the calling application.
The application controls what those values mean and what they authorize.
The Tokens Api stores them, returns them on demand, and removes them when they are no longer needed.
The interpretation is yours; the lifecycle management is Arch's.