create table refresh_tokens (
  id uuid primary key default uuidv4(),
  user_id uuid not null references users(id) on delete cascade,
  token_hash varchar(255) not null, -- SHA-256 hash of the plain token
  expires_at timestamptz not null,
  created_at timestamptz not null default now(),
  revoked_at timestamptz,
  
  constraint unique_token_hash unique (token_hash)
);