@User your recommendations make sense! We will update the docs very shortly.
Btw, you can override this behaviour and control sending the password reset email yourself (in node itself). This would then not send the reset token to any third party.
SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).
