Auth0 - Third party Application - Refreshing Token - access_denied error

am still receiving access_denied error even I have setup the required configuration I have found on Auth0 documentation Call Your API Using the Authorization Code Flow

I have already enabled Implicit, Authorization Code, Refresh Token, Client Credentials on my application grant_types and enabled Refresh Token Rotation too.

I have tried researching more about this but I can’t find anything on google as I am probably the first one encountering this? Or probably I am missing something out here.

here’s the sample curl request I have
I am still receiving access_denied error even I have setup the required configuration I have found on Auth0 documentation Call Your API Using the Authorization Code Flow

I have already enabled Implicit, Authorization Code, Refresh Token, Client Credentials on my application grant_types and enabled Refresh Token Rotation too.

I have tried researching more about this but I can’t find anything on google as I am probably the first one encountering this? Or probably I am missing something out here.

here’s the sample curl request I have

curl --location --request POST 'https://{MY_AUTH0_DOMAIN}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Cookie: did=s%3Av0%3A6b3f22c0-ac00-11ec-b070- 
0b6e59231b0a.LT0c0bBGB4EukRqKLcGtHtt9t%2B3YtiQ1nQ07bfKCkyU; 
did_compat=s%3Av0%3A6b3f22c0-ac00-11ec-b070- 
0b6e59231b0a.LT0c0bBGB4EukRqKLcGtHtt9t%2B3YtiQ1nQ07bfKCkyU' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id={MY_CLIENT_ID}' \
--data-urlencode 'refresh_token=v1.MemAxcxZBez46BV3cDnUo97zIY_lfNDi15XTCDJr5tQKbrEvnZzBjiVNvtOfrny3A0QD1AsoUDLJETl3rFkzLMM'

I found the issue, in their documentation Call Your API Using the Authorization Code Flow it doesn’t require you to pass client_secret but it is needed when you do request for a refresh_token. Found it here Use Refresh Tokens in Node.js (and axios): Receiving 401 error (access_denied, Unauthorized)

User is asked to validate the scopes used by the app. Generally, you do not want users to have to decide to validate use of restricted scopes. So, when possible, use “recommended” scopes as they narrow access to specific functionality needed by an app.
Pay My Doctor Login