Refresh token rotation - SCIM OAuth

We have an application in the OIN supporting user provisioning.

Some of our customers have reported issues with their authentication where after a few days, the integration stops working, with the

> The credentials used to connect to the API were invalid; please check your configuration 

Now, reauthenticating does solve the problem, which then reappears after a few days.

We’re not seeing this issue with our other OAuth clients so we’re wondering if you could help us debug this issue by sharing what happens on OKTA’s side to ensure the tokens get replaced properly.

Our access tokens have a validity of 1 hour, after which they should be refreshed using the refresh token. Once the refresh token is used, we will invalidate it and a new one will be returned to be used for subsequent requests.
However it looks like sometimes an old refresh token is being sent, causing us to fail the authentication.

Any idea why this would happen?