Hey there @bbarnell !
At a most basic level, all that’s required is setting useRefreshTokens: true and enabling refresh token rotation for the relevant application in your dashboard settings.
Here’s a working example if you’d like to check it out - If I omit the useRefreshTokens: true flag then the application will resort to using silent auth if I click the “ping” button (getTokenSilently) of the external API page. With useRefreshTokens: true, you can see the offline_access scope included in the initial authorize request constructed on login, and subsequently a refresh token returned from the token endpoint:
Now when I click “ping api”, I can see a successful refresh token exchange in my logs (monitoring → logs):
