@User > By storing only the last one used, wouldn’t we be unable to detect this? In your scenario, the user would be using a refresh token whose parent, or itself would be in the db, however, the associated session handle would still be in the db. This would be enough of an indication of token theft and it would give you that error.