Your auth has worked for months. Then you ship a small change — a page that fires a few API calls in parallel, a worker pool, a second CLI instance, an agent — and suddenly users get logged out at random. The logs say invalid_grant . Sometimes it's worse: refresh_token_reused , and a working session is nuked everywhere. Nothing in your token flow is wrong. The bug is that you're doing the correct flow concurrently with a token that only tolerates being used once. The race, step by step An OAuth2 client holds a short-lived access token and a long-lived refresh token . When the access token expires, you POST the refresh token to the token endpoint and get a new access token. With refresh-token rotation — now the default at Okta, Auth0, Microsoft, and Salesforce, and recommended by the OAuth 2.0 Security BCP for public clients — that refresh token is single-use . The refresh response carries a new refresh token, and the one you just sent is invalidated the instant the first refresh succeeds.…