$token = bin2hex(random_bytes(32));              // 256-bit token
$tokenHash = hash('sha256', $token);
$expires = date('Y-m-d H:i:s', time()+3600);     // 60 min
// insert into password_resets(user_id, token_hash, expires_at) ...
$link = "https://astmdata.com/reset.php?token=$token";