Tokens are passwords: possession of one lets you act as the user. Never store them in plain text; hash them in the database. Otherwise a DB leak grants write access to user accounts (not just read access). Tokens should also have expiry dates and a bounded quantity per user.