Foreword
All the content here is to the best of my understanding. However, since this relates to security, don't use this as a definitive reference.
...
Essentially, any refresh token is single-use. The refresh token can be exchanged for a 15-minute access token, and another new refresh token. As soon as a refresh token has been used once, it is invalidated and cannot be used again. Likewise, once a refresh token has been unused for some time (1 hour for us), it is invalidated and the application requires re-authentication.
Importantly (from the link above, verbatim) "If a previously used refresh token is used again with the token request, the Authorization Server automatically detects the attempted reuse of the refresh token. As a result, Okta immediately invalidates the most recently issued refresh token and all access tokens issued since the user authenticated. This protects your application from token compromise and replay attacks."
Using Okta to manage sessions
...