[rahkiin]

If api keys do not need to ve stateless, every api key can become a refresh token with a full permission and validity lookup.

[marcosdumay]

This.

The separation of a refresh cycle is an optimization done for scale. You don't need to do it if you don't need the scale. (And you need a really huge scale to hit that need.)