diff --git a/src/routes/account/change-password/post.ts b/src/routes/account/change-password/post.ts
index ddb5a1a..26a70e5 100644
--- a/src/routes/account/change-password/post.ts
+++ b/src/routes/account/change-password/post.ts
@@ -8,6 +8,7 @@ import { checkAuthorization } from '../../../lib/auth'
 import { users } from '../../../lib/tables'
 import { eq } from 'drizzle-orm'
 import bcrypt from 'bcryptjs'
+import { randomBytes } from 'crypto'
 
 type Body = {
   newPassword: string
@@ -19,7 +20,7 @@ export async function handler (context: Context) {
 
   if (!dbInfo0 || !dbInfo1)
     return jsonResponse(
-      { success: false, message: 'Failed to connect to database' },
+      { success: false, message: 'Failed to connect to database', data: null },
       500
     )
   const { connection: connection0, db: db0 } = dbInfo0
@@ -33,7 +34,10 @@ export async function handler (context: Context) {
   )
   if (!authResult.valid) {
     connection0.end()
-    return jsonResponse({ success: false, message: 'Unauthorized' }, 401)
+    return jsonResponse(
+      { success: false, message: 'Unauthorized', data: null },
+      401
+    )
   }
   const userId = authResult.id
 
@@ -57,12 +61,13 @@ export async function handler (context: Context) {
   }
 
   const hashedPassword = await bcrypt.hash(body.newPassword, 10)
+  const token = randomBytes(256).toString('hex')
 
   await db0
     .update(users)
-    .set({ password: hashedPassword })
+    .set({ password: hashedPassword, token })
     .where(eq(users.id, userId))
     .execute()
 
-  return jsonResponse({ success: true, message: null })
+  return jsonResponse({ success: true, message: null, data: token })
 }
diff --git a/src/routes/account/change-username/post.ts b/src/routes/account/change-username/post.ts
index 885a517..140e585 100644
--- a/src/routes/account/change-username/post.ts
+++ b/src/routes/account/change-username/post.ts
@@ -7,6 +7,7 @@ import {
 import { checkAuthorization } from '../../../lib/auth'
 import { users } from '../../../lib/tables'
 import { eq } from 'drizzle-orm'
+import { randomBytes } from 'crypto'
 
 type Body = {
   newUsername: string
@@ -18,7 +19,7 @@ export async function handler (context: Context) {
 
   if (!dbInfo0 || !dbInfo1)
     return jsonResponse(
-      { success: false, message: 'Failed to connect to database' },
+      { success: false, message: 'Failed to connect to database', data: null },
       500
     )
   const { connection: connection0, db: db0 } = dbInfo0
@@ -32,7 +33,10 @@ export async function handler (context: Context) {
   )
   if (!authResult.valid) {
     connection0.end()
-    return jsonResponse({ success: false, message: 'Unauthorized' }, 401)
+    return jsonResponse(
+      { success: false, message: 'Unauthorized', data: null },
+      401
+    )
   }
   const userId = authResult.id
 
@@ -51,11 +55,13 @@ export async function handler (context: Context) {
     )
   }
 
+  const token = randomBytes(256).toString('hex')
+
   await db0
     .update(users)
-    .set({ username: body.newUsername })
+    .set({ username: body.newUsername, token })
     .where(eq(users.id, userId))
     .execute()
 
-  return jsonResponse({ success: true, message: null })
+  return jsonResponse({ success: true, message: null, data: token })
 }
diff --git a/src/routes/account/reset-password/post.ts b/src/routes/account/reset-password/post.ts
index b692651..29ad102 100644
--- a/src/routes/account/reset-password/post.ts
+++ b/src/routes/account/reset-password/post.ts
@@ -8,6 +8,7 @@ import {
 import { resetCodes, users } from '../../../lib/tables'
 import { and, desc, eq, sql } from 'drizzle-orm'
 import bcrypt from 'bcryptjs'
+import { randomBytes } from 'crypto'
 
 type Body = {
   token: string | null
@@ -21,7 +22,7 @@ export async function handler (context: Context) {
 
   if (!dbInfo0)
     return jsonResponse(
-      { success: false, message: 'Failed to connect to database' },
+      { success: false, message: 'Failed to connect to database', data: null },
       500
     )
   const { connection: connection0, db: db0 } = dbInfo0
@@ -32,7 +33,8 @@ export async function handler (context: Context) {
     return jsonResponse(
       {
         success: false,
-        message: 'Invalid verify code (codes can only be used once)'
+        message: 'Invalid verify code (codes can only be used once)',
+        data: null
       },
       400
     )
@@ -43,7 +45,8 @@ export async function handler (context: Context) {
     return jsonResponse(
       {
         success: false,
-        message: 'Failed to get required info'
+        message: 'Failed to get required info',
+        data: null
       },
       400
     )
@@ -56,7 +59,8 @@ export async function handler (context: Context) {
         message:
           body.token != null
             ? 'Invalid captcha token'
-            : 'Invalid verify code (codes can only be used once)'
+            : 'Invalid verify code (codes can only be used once)',
+        data: null
       },
       400
     )
@@ -92,16 +96,18 @@ export async function handler (context: Context) {
       )
       .execute()
     const hashedPassword = await bcrypt.hash(body.password, 10)
+    const token = randomBytes(256).toString('hex')
     await db0
       .update(users)
-      .set({ password: hashedPassword })
+      .set({ password: hashedPassword, token })
       .where(eq(users.id, codeExists[0].userId))
       .execute()
     connection0.end()
     return jsonResponse(
       {
         success: true,
-        message: null
+        message: null,
+        data: token
       },
       200
     )
@@ -110,7 +116,8 @@ export async function handler (context: Context) {
     return jsonResponse(
       {
         success: false,
-        message: 'Invalid reset code (codes can only be used once)'
+        message: 'Invalid reset code (codes can only be used once)',
+        data: null
       },
       400
     )