Page Comparison

...

Also, only the hash of the password reset tokens should be stored

Instead of using userId we use a randomly generated number resetId which can be then translated to a userId on the server side. We can use this to also find the salt used to hash the authorization token

{
	"resetId": <random int>
    "authorization" : <UUID4 <TOKEN>TOKEN>,
    "newPassword": "hunter3"
}

...