I'm not clear on the cases in which the OUATH refresh token can become invalid? I believe there is an API method to delete tokens, but I'm curious about other cases? I'm especially curious about the 2 following cases.
Do they expire after a time limit?
If the list of scopes are changes on HubSpot, do existing tokens get invalidated or they hold the old permissions or have new permissions dictated by the scopes?