Refresh Token Request Blocked By CORS policy

I’m following the docs on using refresh tokens. But I’m getting the following error:

Access to XMLHttpRequest at 'https://dev-domain.us.auth0.com/oauth/token' from origin 'https://www.stuffdb.app' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is my code:

async function refreshToken(refresh_token: string) {
  try {
    const AUTH_URL = `${checked(
      process.env.NEXT_PUBLIC_AUTH0_ISSUER_BASE_URL
    )}/oauth/token`;

    const { data } = await axios.post<RefreshInfo>(
      AUTH_URL,
      new URLSearchParams({
        grant_type: 'refresh_token',
        client_id: checked(process.env.NEXT_PUBLIC_AUTH0_CLIENT_ID),
        client_secret: checked(process.env.NEXT_PUBLIC_AUTH0_CLIENT_SECRET),
        refresh_token: refresh_token,
      }),
      {
        headers: {
          'content-type': 'application/x-www-form-urlencoded',
        },
      }
    );

    return data;
  } catch (error) {
    if (axios.isAxiosError(error)) {
      console.error('error message: ', error.message);
      // 👇️ error: AxiosError<any, any>
    } else {
      console.error('unexpected error: ', error);
    }
    return {} as RefreshInfo;
  }
}

Here are my settings for allowed urls:

Here are my grant types:

Can someone please tell me what I’m missing?