I am using the email verification package and as far as I can see, there is no expiration time for the tokens, right? I am not a security expert, but is it ok to just leave the tokens alone?