I am using the email verification package and as far as I can see, there is no expiration time for the tokens, right? I am not a security expert, but is it ok to just leave the tokens alone?
SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).
