You can, of course: md5($pass.$salt.$date) - and round $date to the interval you need: month, day, hour - depending on the expiration date. You can check the current and previous ones so that there is no ambush. True, it will work with an accuracy of ± the selected interval, but I think it's not scary.

for example, the code can be formed something like this:
HEX(симметричный_шифр(array(сложный_хэш_пароля, дата_окончания_хеша, сложный_хеш_включающий_дату_и_хэш_пароля)))
Take a look at phpclasses, there are ready-made algorithms bypassing mcrypt.
Additionally, you need to take into account the get-request limit.
There is a better option: for example, you can give a period of three days, write down the code as
md5($password . $salt . date('Y-m-d', strtotime('+3 days')))
after the client clicks on the link, check the compliance of the incoming code with the code generated for the next three days.
Cons, I think, are clear.
By discarding the option of saving to the database, you lose the ability to control the number of clicks on the given link, plus you have to form a rather complex url.

I prefer not to give anything at all that can be recovered to the password.
In a similar case, I made random sets like sha1 (random ()), they fell into a separate table where the key is the same random number, as well as a link to the user, date and other goodies, such as a redirect page. permalink routed incoming links, checked them, showed the password change form and redirected to the desired page, already under the given user