Yes, if you allow /token/extend to accept a valid access token and generate a new one indefinitely, a stolen token can be used by an attacker to maintain access forever.Use a Refresh Token mechanism. Access tokens should be short-lived and stateless, while refresh tokens should be securely stored, validated server-side, and rotated to prevent abuse. This ensures that even if an access token is compromised, long-term access is not possible without also stealing the refresh token.