OAuth 2.0 usage

We are working with a 3rd party provider that is trying to integrate our phone system with Jira. I have set up an OAuth 2.0 App that will grant them permissions to pull custom field values without having Jira admin permissions.

They take the token and get a refresh token each time. They are working on a script to kick off a call to the api using the Oauth 2.0 refresh token every time a call comes in.

My question is what if two calls are made at the same exact time. Will this break the refresh token?

also, is there a way I can get them a token that does not have to refresh and does not expire where they can query custom fields without having admin access to our system?