@User your recommendations make sense! We will update the docs very shortly. Btw, you can override this behaviour and control sending the password reset email yourself (in node itself). This would then not send the reset token to any third party.