Okay so after reading it I figured I may have implemented the new approach, however instead of storing the opaque token in the DB I have a token version in the user table, the refresh token in the cookie has a token version too and before issuing a new access token I check if the cookie version matches the one in the database so I can increment the database version in case an account gets stolen, I guess that is what you recommend