That is the expected behaviour
auth.grant fires whenever anyone goes thru the auth flow and a new user token is assigned.
In this case a new auth token is assigned so you are notified that a new token is assigned.
Regardless of the user cancelling the request a new token is spawned.
When it comes to “spam” on the webhook we all have to deal with follow flood already so device accordingly.
This “spam” is no different to 200 people authing at the same time for example.