CREATE TABLE "AuthToken" (
    "id" TEXT NOT NULL PRIMARY KEY,
    "userId" TEXT NOT NULL,
    "tenantId" TEXT NOT NULL,
    "tokenType" TEXT NOT NULL,
    "tokenHash" TEXT NOT NULL,
    "expiresAt" DATETIME NOT NULL,
    "consumedAt" DATETIME,
    "createdByUser" TEXT,
    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "metadataJson" JSONB,
    CONSTRAINT "AuthToken_tokenHash_key" UNIQUE ("tokenHash"),
    CONSTRAINT "AuthToken_tokenType_check" CHECK ("tokenType" IN ('PASSWORD_RESET', 'INVITE_ACCEPTANCE'))
);

CREATE INDEX "AuthToken_userId_tokenType_idx" ON "AuthToken"("userId", "tokenType");
CREATE INDEX "AuthToken_tenantId_tokenType_expiresAt_idx" ON "AuthToken"("tenantId", "tokenType", "expiresAt");