ZegnatI wonder if 1 hour might be too short. I know of a handful of APIs with such shortlived tokens that people basically do not bother with them and always use the refresh token first for every request. At that point I am not sure it still gives any real security benefit?
