What "token" are you referring too? The only thing on the server would be the MySQL encrypted column that holds the salt & hashed pw by user. If those are leaked then they have to decrypt the data first. If that's done then there isn't much you can do anyway for this game, but at least it's not plain text for them to try with other sites for the user.
I'm still not convinced you're doing it right.
Whether something is encrypted in MySQL doesn't matter, because your code needs to be able to read it, and thus an attacker will just insert the reading code into your code, or use some other code injection, to get the cleartext. Encrypted MySQL storage (or encrypted file systems) only protect against backups falling in the wrong hands, or physical theft, assuming the password itself isn't also stored on the machine.
So, let's assume you store bcrypt(salt, password) in the password database (is this what you mean by "hashed" ?)
Let's call this DatabaseValue.
This means the client needs to learn the salt, to be able to bcrypt it in the same way. So the client computes bcrypt(salt, password) and sends it to you.
You then compare it to DatabaseValue, and if it doesn't match, you deny the login.
This means that your login algorithm is insecure. If someone gets ahold of the password database, they can now log in as all possible users. They don't need to calculate anything, because the right response is already available. In effect, the hashed value is now the "cleartext" password, because knowing the value in the database allows you to login.
The whole idea of calculating a password hash is that leakage of the database table doesn't grant access to users. For this to work, the client MUST provide the cleartext password on login, and the server then calculates the hash and compares to the database value. Providing the hash from the client doesn't work, because the hash is not reversible.
If you are worried about the cleartext password leaking during transmittal to you, then use TLS. Your "additinal level of security" doesn't accomplish anything extra, and if it leads to the design above, then it actually hurts security.
If your design is somehow materially different, I'd be very interested in hearing a detailed description of what data is stored, what data is provided to the client, what data is provided from the client, and how login authentication actually works!