Refresh Token Request Blocked By CORS policy

I’m following the docs on using refresh tokens. But I’m getting the following error:

Access to XMLHttpRequest at '' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is my code:

async function refreshToken(refresh_token: string) {
  try {
    const AUTH_URL = `${checked(

    const { data } = await<RefreshInfo>(
      new URLSearchParams({
        grant_type: 'refresh_token',
        client_id: checked(process.env.NEXT_PUBLIC_AUTH0_CLIENT_ID),
        client_secret: checked(process.env.NEXT_PUBLIC_AUTH0_CLIENT_SECRET),
        refresh_token: refresh_token,
        headers: {
          'content-type': 'application/x-www-form-urlencoded',

    return data;
  } catch (error) {
    if (axios.isAxiosError(error)) {
      console.error('error message: ', error.message);
      // 👇️ error: AxiosError<any, any>
    } else {
      console.error('unexpected error: ', error);
    return {} as RefreshInfo;

Here are my settings for allowed urls:

Here are my grant types:

Can someone please tell me what I’m missing?