I found the issue, in their documentation Call Your API Using the Authorization Code Flow it doesn’t require you to pass client_secret but it is needed when you do request for a refresh_token. Found it here Use Refresh Tokens in Node.js (and axios): Receiving 401 error (access_denied, Unauthorized)