Suppose I am using O-Auth for my application's authentication. Suppose I access the API which has a token based authentication. The token which is a key to authentication gets in the hands of a hacker. Will the hacker be able to impersonate authentic users?
The answer is yes. That is why your tokens should be short lived and it better not to use refresh token at all. Hackers sometimes get token after it already got expired, so it is much better than username and password. Still it is not bulletproof and you should use other techniques to stop and monitor suspicious request like monitor and limit ip addresses, block too many requests per second etc.