PHPackages                             fusionspim/php-email-tokens - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Mail &amp; Notifications](/categories/mail)
4. /
5. fusionspim/php-email-tokens

AbandonedArchivedLibrary[Mail &amp; Notifications](/categories/mail)

fusionspim/php-email-tokens
===========================

Generate secure tokens for use in emails (password reset, signup verification)

6.1.1(3y ago)1881MITPHPPHP ^8.0

Since Mar 4Pushed 3y ago1 watchersCompare

[ Source](https://github.com/fusionspim/php-email-tokens)[ Packagist](https://packagist.org/packages/fusionspim/php-email-tokens)[ RSS](/packages/fusionspim-php-email-tokens/feed)WikiDiscussions master Synced 4w ago

READMEChangelog (10)Dependencies (5)Versions (19)Used By (0)

PHP email tokens
================

[](#php-email-tokens)

Used in password reset (or sign up verification) emails, these need to be:

1. Entirely random
2. Short, containing only simple ([0-9, A-Z and a-z](https://www.wikidata.org/wiki/Q809817)) characters (to avoid email problems)
3. Expiring within a short period of time (though still dependent on security of users mailbox)
4. Deleted once used and/or expired (this bit is down to you!)
5. Hashed when stored in the database (like passwords, so useless if read via SQL injection or worse)

### Sample code for *forgot\_password.php*

[](#sample-code-for-forgot_passwordphp)

```
$token = new EmailToken;
$token->getEmailToken(); // include in the link you email the user (don't store anywhere!)
$token->getDatabaseHash(); // store against the user (128 character string) along with `tokenCreated`
```

*Tip: better to put the user in a queue, then generate tokens/emails in a worker/cron.*

### Sample code for *reset\_password.php*

[](#sample-code-for-reset_passwordphp)

```
$token = new EmailToken;
$user  = loadFromHash($token->hashFromToken($_GET['token'])); // loadFromHash() is pseudo code, your bit!

if ($user && $token->stillValid($user->tokenCreated)) { // DateTime/Carbon parameter (or validate in your SQL query)
    // show password form, delete hash/expiry stored against the user
} else {
    // show generic/non-revealing 'Sorry, that token is no longer valid' message
}
```

### Options

[](#options)

An array can be passed in the constructor to override defaults:

- **Token expiry period:** the **15 minute** default allows for email delivery delays, but lowers the risk of emails sitting around in a possibly unattended email client
- **Token length:** the **24 character** default is nice and short for emails, but gives ~10,000,000,000,000,000,000,000,000,000,000,000,000,000,000 combinations for the 62 case-sensitive alphanumeric characters used - impossible to brute-force successfully ([20 or more is recommended](https://stackoverflow.com/questions/20013672/best-practice-on-generating-reset-password-tokens))

```
new EmailToken(['expiryMinutes' => 60]);
new EmailToken(['tokenLength' => 30]);
new EmailToken(['expiryMinutes' => 60, tokenLength' => 30]);
```

### Helpers

[](#helpers)

There are two helper functions:

```
$token->getExpiryMinutes(); // useful to mention in your email message
$token->getTokenLength(); // not sure what you'd use this for!
```

Credits
-------

[](#credits)

[Comments](https://stackoverflow.com/questions/20013672/best-practice-on-generating-reset-password-tokens), [advice](https://security.stackexchange.com/questions/86913/should-password-reset-tokens-be-hashed-when-stored-in-a-database) and [code](https://security.stackexchange.com/questions/86913/should-password-reset-tokens-be-hashed-when-stored-in-a-database) from [Martin Stoeckli](https://www.martinstoeckli.ch/) were invaluable in getting my knowledge and understanding to the point of being happy with all this - thanks Martin! :-)

###  Health Score

34

—

LowBetter than 77% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity12

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity77

Established project with proven stability

 Bus Factor1

Top contributor holds 57.7% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~94 days

Recently: every ~136 days

Total

18

Last Release

1377d ago

Major Versions

1.0.0 → 2.0.02018-03-06

2.2.1 → 3.0.02020-03-26

3.0.1 → 4.0.02020-06-15

4.1.0 → 5.0.02020-07-11

5.1.0 → 6.0.02021-12-21

PHP version history (6 changes)1.0.0PHP ^7.1

2.1.2PHP ^7.2

3.0.0PHP ^7.3

5.0.0PHP ^7.4

5.1.0PHP ^7.4 || ^8.0

6.0.0PHP ^8.0

### Community

Maintainers

![](https://www.gravatar.com/avatar/d071e60022bd5137d78c3940a7bbe4920b58db384c149ad519ad0983ef4774b1?d=identicon)[maxakropolis](/maintainers/maxakropolis)

---

Top Contributors

[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (82 commits)")[![weshooper](https://avatars.githubusercontent.com/u/2248206?v=4)](https://github.com/weshooper "weshooper (45 commits)")[![ziadoz](https://avatars.githubusercontent.com/u/645637?v=4)](https://github.com/ziadoz "ziadoz (11 commits)")[![maxakropolis](https://avatars.githubusercontent.com/u/10739767?v=4)](https://github.com/maxakropolis "maxakropolis (3 commits)")[![liamkeily](https://avatars.githubusercontent.com/u/2040842?v=4)](https://github.com/liamkeily "liamkeily (1 commits)")

---

Tags

securityemailpasswordtoken

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/fusionspim-php-email-tokens/health.svg)

```
[![Health](https://phpackages.com/badges/fusionspim-php-email-tokens/health.svg)](https://phpackages.com/packages/fusionspim-php-email-tokens)
```

###  Alternatives

[martian/spammailchecker

A laravel package that protect users from entering non-existing/spam email addresses.

422.0k](/packages/martian-spammailchecker)[pitchero/reseller-club

A PHP SDK for the ResellerClub API.

1514.8k1](/packages/pitchero-reseller-club)[craftpulse/craft-notifications

Send notifications across a variety of delivery channels, including mail and Slack. Notifications may also be stored in a database so they may be displayed in your web interface.

551.2k](/packages/craftpulse-craft-notifications)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)