> Since when do OAuth clients store refresh tokens in areas that LLMs regularly scan?

If you can store your refresh token outside of where LLMs regularly scan, then why not just store your API token in that place?

The point is that refresh tokens do nothing to increase security. If a refresh token can be used to get a token, then the refresh token might as well be the actual token.

It's akin to performing client-side password hashing. It doesn't make your password more secure, it just means your hash is now your password. If someone is able to sniff your traffic, hashing the password first doesn't change anything.

I grow so tired of half-baked security theater.