Currently tokens are stored in memory as String, which suppose a risk if an intruder is able to dump the heap

public class AccessGrant implements Serializable {
	private final String accessToken;
	private final String refreshToken;
...
}

It is recommended to use byte or char arrays to be able to handle tokens securely, so the tokens can be nulled once they are not needed.