Yes. A user can have one-to-many refresh tokens per application.

Yes. You can use the Authorization Code grant with cookies. Here is a workflow diagram of this: https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

No, this isn't currently possible.

I think that would fall into the threat detection bucket of features we are planning. Feel free to add any notes, comments or suggestions here: https://github.com/FusionAuth/fusionauth-issues/issues/905

@dan Thank you for your support. Fixing the signature just saved me another couple of hours (also coming from https://fusionauth.io/blog/2020/07/14/django-and-oauth/) ^^

@chakshu

Sorry, I pointed you to the incorrect setting.

You can go to Applications > FusionAuth > Edit > JWT > Refresh Token duration

Changing that to 1 (the value is in minutes) caused me to be signed out of the admin application after 60 seconds.

Hope that helps.