For my mobile app I employ both passwordless (SMS) login and login via OIDC. When I try to refresh my access tokens, I receive the error message
invalid_grant Unknown or invalid refresh token. Note that I am including the
offline_access scope on my requests and I have enabled offline access in my API.
The refresh tokens I receive are significantly shorter than any other valid access token or id token that is returned from this endpoint. Any thoughts on why this is happening?
Refresh tokens are opaque, you cannot decode them.
It is hard to tell why you are getting invalid refresh token without more info. One possibility is you are using rotating refresh tokens, and trying to reuse them. That would invalidat the whole chain.
If you post more details, we can try to help.
Thanks so much for the quick response. You were right – I was reusing a refresh token that had already been used. That’s what had been causing the error message.
Glad it all came together!