Struggling to figure out why rotating the oauth client secret in the developer portal immediately invalidates existing refresh tokens for our premium app. we are hitting 401 unauthorized errors on /api/v2/oauth/token even though the refresh tokens were issued before the rotation. this is breaking our multi-tenant sync jobs. any way to avoid this hard cutoff?