We want to store the hashed token in the db because in case the db is leaked, the user can't use those hashed tokens to reset the user's password - since the input token to the API is hashed before being checked in the db. So if we were to send the hashed token via email, the input to the API would be hashed again, and therefore we would be checking hash(hash(raw_token)) as opposed to hash(raw_token) (which is in the db).