I raised some queries regarding this a while ago on Rate limits and letting people login specifically regarding rate limits. Which this has a bearing on.
If I have 120 people logged in, I’m supposed to check their oAuth hourly (if still active on my application) as well as handle new users that have logged in.