Why does my refresh token become invalid after using another refresh token in the same OAuth app?

Hi Team,

I'm currently using Jira OAuth 2.0 Authorization Code Flow and I'm trying to understand how rotating refresh tokens work when the same app is authorized multiple times.

Here is what I did:

1. I authorized the same OAuth 2.0 app twice, which gave me:

   • refresh_token_1 (from the first authorization)

   • refresh_token_2 (from the second authorization)

2. I used refresh_token_1 to get a new access token and refresh token:

   • I received AccessToken_A and refresh_token_3

   • So now refresh_token_3 should be used for future refreshes

3. After some time (more than 10 minutes), I used refresh_token_2 (from the second authorization) to get new tokens:

   • I received AccessToken_B and refresh_token_4 successfully

Now when I try to use refresh_token_3 (which was generated from refresh_token_1), I get the following error:

{
"error": "unauthorized_client",
"error_description": "refresh_token is invalid"
}

I expected refresh_token_3 to still be valid because it was freshly generated and hadn't used to generate an access token

My questions are:

• Why did refresh_token_3 become invalid?

• Does using a different refresh token from the same client (like refresh_token_2) revoke the previous refresh token chain?

• Is it true that only one refresh token at a time is valid per OAuth client (app) per user session?

Any official guidance or clarification would be very helpful. Thank you!