# `AshAuthentication.Oauth2Server.Changes.RotateRefreshToken`
[🔗](https://github.com/team-alembic/ash_authentication_oauth2_server/blob/v0.1.0/lib/ash_authentication/oauth2_server/changes/rotate_refresh_token.ex#L5)

Change that rotates a refresh-token row atomically.

Attaches a filter expression — `is_nil(rotated_to_id) and is_nil(revoked_at)`
— to the changeset so the underlying `UPDATE` only matches a row that's
still valid AND unrotated AND unrevoked. The `:rotated_to_id` argument
is then written to the row.

A concurrent rotation race produces one winner; the loser's UPDATE
matches zero rows and the `Token` core treats it as `:reuse`, triggering
chain revocation per OAuth 2.1 §4.3.1.

Usage in your refresh-token resource:

    update :rotate do
      argument :rotated_to_id, :uuid_v7, allow_nil?: false
      accept []
      require_atomic? false

      change AshAuthentication.Oauth2Server.Changes.RotateRefreshToken
    end

---

*Consult [api-reference.md](api-reference.md) for complete listing*