Everytime I generate a token pair (access & refresh), I store them in the database. As per your advice from the blog entry, I would like to delete (revoke) the old refresh token upon the first usage of the newly generated access token. How can I achieve this? Like, where do I store the old refreshToken so that I can delete the database entry upon the usage of the new one? My idea would be the following: Every token-pair is stored in a document that has it's _id field (which is unique). I could put the document id of the old token-pair into the payload of each of the newly generated tokens. If the client then proceeds to send a request with the new access token, I delete the old ones from the database, using the document id from the payload. if the client, for some reason, receives the new token pair and doesn't send a new request before the fresh access-token expires, it would use the generated refresh token to generate a new token pair. In that case, I would also delete the old ones from the database, using the document id from the payload. I know this is a very complex message, can you just tell me if this is somehow an acceptable way to approach my issue? @User