We're experiencing a 422 error indicating that a refresh token ID has already been used to retrieve an access token. Our logs show each refresh token is only used once, as expected, yet the error persists. Could you advise on potential causes or troubleshooting steps to confirm if this is due to a configuration or system behavior within ISVA?

Speculation, but its quite likely your logs show each refresh token being presented only once because the log event is being generated only after the exchange succeeds. It is very likely that the requests are coming in with the same refresh token more than once. This is very common in situations where (for example) the client is a mobile app and network connectiving is unreliable. This is precisely why the "Enable multiple refresh tokens for fault tolerance" checkbox exists when creating an OAuth definition. Are you using that? What is the nature of your OAuth clients (are they mobile applications)?

Thank you for the insight. We have "Enable multiple refresh tokens for fault tolerance" enabled in our OAuth setup, and we have both web and mobile applications. Additionally, our refresh tokens are valid for 180 days. Is there any logging configuration that would capture failed or duplicate refresh token attempts that might be missing from our current logs?