diff --git a/crates/erp-auth/src/service/auth_service.rs b/crates/erp-auth/src/service/auth_service.rs
index 78af1eb..6aa681b 100644
--- a/crates/erp-auth/src/service/auth_service.rs
+++ b/crates/erp-auth/src/service/auth_service.rs
@@ -195,7 +195,7 @@ impl AuthService {
             TokenService::validate_refresh_token(refresh_token_str, db, jwt.secret).await?;
 
         // Revoke the old token (rotation)
-        TokenService::revoke_token(old_token_id, db).await?;
+        TokenService::revoke_token(old_token_id, claims.sub, db).await?;
 
         // Fetch fresh roles and permissions
         let roles: Vec<String> = TokenService::get_user_roles(claims.sub, claims.tid, db).await?;
diff --git a/crates/erp-auth/src/service/token_service.rs b/crates/erp-auth/src/service/token_service.rs
index 5a924c0..5d3357f 100644
--- a/crates/erp-auth/src/service/token_service.rs
+++ b/crates/erp-auth/src/service/token_service.rs
@@ -131,6 +131,7 @@ impl TokenService {
         let hash = sha256_hex(token);
         let token_row = user_token::Entity::find()
             .filter(user_token::Column::TokenHash.eq(hash))
+            .filter(user_token::Column::TenantId.eq(claims.tid))
             .filter(user_token::Column::RevokedAt.is_null())
             .one(db)
             .await
@@ -151,8 +152,10 @@ impl TokenService {
     }
 
     /// Revoke a specific refresh token by database ID.
-    pub async fn revoke_token(token_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
+    /// Verifies that the token belongs to the specified user for security.
+    pub async fn revoke_token(token_id: Uuid, user_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
         let token_row = user_token::Entity::find_by_id(token_id)
+            .filter(user_token::Column::UserId.eq(user_id))
             .one(db)
             .await
             .map_err(|e| AuthError::Validation(e.to_string()))?