In Meteor, this is actually handled on the client after the app loads, so that "the query string is not sent over the wire with the HTTP request".
Check out the Meteor code for handling password resets and email verification for how it's done:
https://github.com/meteor/meteor/blob/devel/packages/accounts-base/url_client.js
This is part of the wider accounts-base
package, Meteor's user accounts system:
https://github.com/meteor/meteor/tree/devel/packages/accounts-base