Why doesn't the token expire after 5 minutes?

I have a couple of questions about the configuration of authentication via tokens for users.

  1. The access token expires in 5 minutes, but I can make requests and get the result without getting a 401. I do not know why this is so. I didn’t set up the session additionally.
    I use Spring Boot with oauth2-resource-server:
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.csrf(AbstractHttpConfigurer::disable);
    http.authorizeHttpRequests(x →
    x.requestMatchers(“/users”, HttpMethod.POST.name()).permitAll()
    .requestMatchers(“/login”, HttpMethod.POST.name()).permitAll()
    .requestMatchers(“/refresh”, HttpMethod.POST.name()).anonymous()
    .anyRequest().authenticated());
    http.oauth2ResourceServer((oauth2) → oauth2.jwt(Customizer.withDefaults()));
    return http.build();
    }
  2. After updating the refresh token, I can still use the old tokens. This way, I get two pairs of tokens for one user that can be used. Perhaps this is the default behavior. Help me set it up, please.

Hello,
Regarding point 1 : to which endpoint you are sending the HTTP request ?