How to get `refresh_token` for embedded passwordless auth in a native app

Hello!

I have a flutter app, and I want to implement a Passwordless SMS login without using Universal Login. I have been following this documentation in Embedded Passwordless Login in Native Applications.

So far, I was able to send an OTP to a phone number using the following:

POST https://example.auth0.com/passwordless/start
Body: {
    "client_id": "CLIENT_ID_HERE",
    "connection": "sms",
    "phone_number": "PHONE_NUMBER_HERE",
    "send": "code",
    "authParams": {
        "scope": "openid profile email"
    }
}

And authenticate the user with:

POST https://example.auth0.com/oauth/token
Body: {
    "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp",
    "client_id": "CLIENT_ID_HERE",
    "username": "PHONE_NUMBER_HERE",
    "otp": "123456",
    "realm": "sms",
    "audience": "AUDIENCE_HERE",
    "scope": "openid profile email"
}

But the response I receive doesn’t include a refresh_token. I only get the following:

{
    "access_token": "eyJh...",
    "id_token": "eyJh...",
    "scope": "openid profile email",
    "expires_in": 86400,
    "token_type": "Bearer"
}

Also tried to include offline_access as a scope according to some of the topics that I’ve read, but it still won’t return the refresh_token.

Am I doing something wrong? Did I miss anything?

I must have looked through every topics with passwordless, refresh_token keywords here, but I got nothing so far.

Any input is appreciated, thank you! <3

Hi @nrion, welcome to the community!

It could be that the audience you have specified does not have offline access enabled, have you checked that offline access is allowed in the API settings?
When this is disabled Auth0 silently ignores the offline_access scope. This scope is required to get a refresh token.

Hi @sgo, glad to be here!

And that was it! I can’t believe it took me too many hours to resolve that. Thank you!

No worries! We got you covered!