It should be unique yes,
as you can see here it uses os.urandom
wrapped inside binascii.hexlify
which in turn provides 40 chars randomly which should be enough to prevent clashes.
If you want to be absolutely sure though, combine the user id with the token in the url since the user_id is flagged as unique in the db you can rest assure that there are no doubles.