Resetting the password: how to notify the client that the server gave the go-ahead if there is a redirect?

I am resetting my password. It seems everything is clear, but plugging with such a moment.
I have an application and an authorization server on different domains. Everything is clear, except how to do a reset.
The scheme is as follows: the user follows the link in the letter, in the link the domain is supposedly
https://api.example.com/verify?token=blah
Then the server checks the token for compliance and redirects to, say
https://example.com/new-password
Where, in theory, a form for entering a new password. And I think it will be necessary to send a post of a new password to a separate URL.
And how do you put it all together?
1. When to remove the password from the database? When verifying a token from an email, or after receiving a new password? A lot of time can pass between these actions (for example, the user went to drink tea after clicking on the link from the email).
2. If you delete the password before entering a new one, then the situation will turn out that I have a fully active, working user WITHOUT a password. How is that in general?
3. How to notify the client that he is authorized to send a new password at all? And vice versa - how to find out on the server that the client is authorized to send a password?
How to do it right, where to find best practices?