Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid "(access_token, refresh_token)" pair, breaking the single-use guarantee that PKCE relies on. Details The token-exchange flow read "is_used" and called "markAsUsed" as an unconditional update at the end of the path. A new "OAuthAuthorizationCode.claimByCode" method now performs an atomic compare-and-swap ("WHERE code = ? AND is_used = false") and is called immediately before "OAuthToken.insert", after redirect-URI, PKCE, and client authentication have all succeeded. Only the first concurrent caller's "UPDATE" wins; the rest see "invalid_grant: Authorization code has already been used". Impact An attacker who has observed an authorization code and the corresponding PKCE verifier (for example through a malicious OAuth-aware client or by racing a real exchange) could obtain a long-lived refresh token in addition to the legitimate one. Credit This issue was reported by "@eddieran" (https://github.com/eddieran).