Verify Password Reset on hash_hmac

token of email? Don't know what you mean?

I mean when you use laravel auth and try to reset password, then user get an email for verification and in password_reset table there will be an entry of token. Now that email also have an token.

When user click on email then how laravel verify that which user password has to change.

In Illuminate\Auth\Passwords\DatabaseTokenRepository.php you can see that the token is generated with hmac:

  hash_hmac('sha256', Str::random(40), $this->hashKey);

Then it is encrypted and saved in the database with password_hash function:

  $hash = password_hash($value, PASSWORD_BCRYPT, [
            'cost' => $this->cost($options),
        ]);

So even if someone has access to database can't find the actual reset token. When a user clicks on the reset link laravel takes the token and encrypts it using password_hash and searches it against the password_reset table and finds the user email.