No it’s just bad practice.
Yes use the validate endpoint
Indeed only user “normal” oAuth get Refresh tokens.
Implicit and App Access you have to go round the loop again
I discovered the limit as I had a good practice and a bad practice script, and the bad practice script broke the good practice scripts token.