CREATE TABLE "AuthToken" (
    "id" TEXT NOT NULL PRIMARY KEY,
    "userId" TEXT NOT NULL,
    "tenantId" TEXT NOT NULL,
    "tokenType" TEXT NOT NULL,
    "tokenHash" TEXT NOT NULL,
    "expiresAt" TIMESTAMP(3) NOT NULL,
    "consumedAt" TIMESTAMP(3),
    "createdByUser" TEXT,
    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "metadataJson" JSONB,
    CONSTRAINT "AuthToken_tokenHash_key" UNIQUE ("tokenHash"),
    CONSTRAINT "AuthToken_tokenType_check" CHECK ("tokenType" IN ('PASSWORD_RESET', 'INVITE_ACCEPTANCE'))
);

CREATE INDEX "AuthToken_userId_tokenType_idx" ON "AuthToken"("userId", "tokenType");
CREATE INDEX "AuthToken_tenantId_tokenType_expiresAt_idx" ON "AuthToken"("tenantId", "tokenType", "expiresAt");