If the hacker somehow gets the refresh token, uses it to get a access token. How can the server know that specific refresh token is malicious?
refresh token
