hi @Amiel ,
@stephenwaite pointed you to the most updated stuff. The link by @visolveemr is a bit dated. OpenEMR 6.0.0-dev supports either Bcrypt or Argon hashing, which is easy to customize. The hashing settings can be set differently for the authentication (both core and api auth) and token authentication. This is so, for example, can set the auth hash to take a second, but the token auth hash to be much faster (which also makes sense since tokens are short term anyways).
A token is also basically impossible to counterfeit or guess since it is encrypted and then confirmed by a hmac hash when decrypted and then the subsequent hash check adds more security. And since it incorporates a hash, can’t infer what a token is by what is stored in the database.
-brady