Using GET to request a resource, kind of makes sense. Usually you want to send some information to the endpoint as well though, which makes a GET a bit awkward.
GET should be idempotent, so if the request is repeated by the browser/a proxy/a user hitting F5, it should not matter. This is why some websites with inadequate password reset email links don't work if your company/ISP/email provider implements link scanning, as the automated service already clicked the super secret one-time link (and if the website is following the spec, that should be totally fine).
As long as the GET requests returns the same or equivalent API data every time they make total sense. For an access token, that's perfectly fine, assuming they don't generate a new token with every request of course.