Hi there @jjones1 welcome to the community!
Are you attempting something like is outlined in this FAQ to add roles/permission to a user’s token? Which type of Action are you using?
Refresh tokens are encouraged for native mobile apps and are considered a safe approach to improving the user experience. I recommend checking out both this article as well as this blog post to learn more.
That is correct - The only way a refresh token will be granted is if the offline_access scope is included in the authorize request.
Let us know!