@adam-hanna: check if refreshToken["sub"] == authToken["sub"]? I don't think this is necessary bc a valid refresh token will always generate a valid auth token of the same "sub".

read the key files before starting http handlers.