Assess learners' ability to apply OAuth 2.0 access and refresh token flows to design and secure RESTful APIs, including token lifecycle, grant types, Authorization header usage, refresh-token rotation and revocation, token validation (JWT or introspection), secure storage and transmission (HTTPS), implementing /token and /revoke endpoints, handling expiration and refresh logic, and mitigating threats such as token theft and replay.