I realize that key == nonce in my post. My point was against the statement "emailing password reset links is bad and not best practice." You need an password link to make use of the key/nonce. The point of the nonce isn't to eliminate links. It's to make the attack surface that much smaller by limiting their power.