As soon as you have gotten a refresh token, then you can keep on refreshing the access token with the same refresh token. Every time you use refresh token, then the "sliding lifetime" (which is 13 months) re-set. The edge case of using ReUse is if there is no API activity for over 13. months, which is highly unlikely. In this case, after 13 months, the refresh token would not work, and the merchant would need to log-on to https://admin.mobilepay.dk
Recommendation: Ensure that the api activity matches the refresh token expiration, which is 13 months. Alternatively, you can refresh the token with one week interval.
Your refresh token should not be exposed, so if you have suspicion about it being exposed, please contact email@example.com instantly and then we will ensure that the token will be revoked.
Please read the best practice for token management on our Developer Portal here.