First. They need a valid refresh token in order to do that. Second, even if they call the refresh API many times with a valid refresh token, we don’t actually store any of these nee tokens in the database. There is still just only one token stored in there. However, still, each call to the refresh api yields a new refresh token to the user. Now the way this works is that we use a parent child hierarchy when creating a new refresh token. Only parent tokens are stored in the database. Children tokens are only send to the user and are promoted to become the parent once those tokens are used. Overall, at any time, only one refresh token is stored in the database per session. No matter how many times a refresh API is called