Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?

I can get all refresh tokens for user if I know the user id and API authorization key. Everybody can see authorization key. User id is data that never expires, can be stolen and does not have confidential character. Why do we have this method? I think it is easy way to get token for any user...