@User I would like to point out something about the default email sending behavior in the Node pkg: https://github.com/supertokens/supertokens-node/blob/cafec349c50cfee4c944a5020803bbe16fce6bfd/lib/ts/recipe/emailpassword/passwordResetFunctions.ts#L38-L49 This is sending a token that essentially acts as a password allowing someone to take over an account, and it's being sent to a third-party server. Granted, it's a server owned by the maintainers of the pkg, but it still feels like not a great way to do it (even if it is nice to see emailing work out of the box). Some possible solutions: - Use this behavior only if you detect that the core server is also on supertokens.io, or better yet, remove it entirely - Maybe instead of current behavior, the default sender function could detect a peer dep on nodemailer and look for SMTP credentials on

process.env

, which would be email server agnostic? Meteor's

email

package does something like this. https://docs.meteor.com/api/email.html - At least mention this in the

createAndSendCustomEmail

docs, with a clear warning about the security implications of the default behavior, if it isn't changed. Also explain which emailing service receives the data after that, and whether it is stored or logged anywhere. Perhaps a separate "Emails" section in docs rather than burying it in the init config docs.