When building authentication systems, security is everything. One common feature in modern apps is “Forgot Password” — and Laravel handles this very securely using password reset tokens.
Wondering? What is the table ‘password_reset_tokens’ for, in Laravel default installer? Let’s understand why that table exists and how it works.
It creates a new record when someone try for ‘forgot password’ and ask to reset the password.
What Happens When User Clicks “Forgot Password”?
When a user enters their email:
- Laravel generates a unique, secure token.
- It stores the token in the
password_reset_tokenstable. - It sends an email to the user with a reset link.
Important:
👉 The password is NOT changed immediately.
What Does the Reset Link Look Like?
By default, the link looks like this:
http://your-app-url/reset-password/{token}?email=user@example.comExample:
http://localhost:8000/reset-password/abc123xyzToken?email=test@gmail.com{token}→ Unique security tokenemail→ The user’s email address
Why Is the Token Important?
The token acts as proof that the person has access to the email account.
When the user clicks the link, Laravel checks:
- Does the token exist?
- Does it match the email?
- Is it still valid (not expired — default is 60 minutes)?
By default, the password reset token in Laravel expires in 60 minutes.
You can change it in:
config/auth.php → inside the passwords array → expire value.
If everything is correct → Laravel shows the reset password form.
If not → It shows an error.
Why This Is Secure
- Anyone can request a password reset.
- But only the real email owner can complete it.
- The password changes only after token verification.
This prevents random users from resetting someone else’s password.
That’s the simple idea behind Laravel’s password reset system — secure, token-based, and email verified.