Hi Richard, Thanks for sharing your experience. The refresh token is long-lived in the sense that as long as it's used at least once every 90 days - it can last forever. Token rotation is described here, and the purpose of rotating both refresh token and access token is to prevent replay attacks. I'd like to better understand the scenario, so we can make sure we have a good way to address it. For a distributed system, have you explored central vaults like AWS secrets manager, Hashicorp Vault, etc'?
... View more