Question about security.

[ApoloIslaio]

I'm new to Rails and I don't understand how to use access_token.
When the user resets the password ( /auth/password/ ), the access_token parameter goes by the url, right? Is this safe? In the url anyone with malicious intent could get the access_token, change the user's password and enter the system, am I wrong?

In the case of the system I am developing, security is very important as it is a fintech that will deal with the user's money.

I'm sorry if this is a silly question, but I really don't understand and I'm afraid the security will fail.

[MaicolBen]

They should have access to your email or the victim share the URL before using it somehow? That's like you sharing your password. I don't think is an application security issue but if you come up with better ideas (like using magic codes) let me know.