This is the reply I got from auth0.
Hi There, You can use use refresh token flow if you are executing one of the following oauth2.0 flows.
- Authorization Code Flow
- Authorization Code Flow with Proof Key for Code Exchange (PKCE)
- Resource Owner Password Flow
- Device Authorization Flow
Token Best Practices flow is not part of Oauth2.0 grant flows. Hence, it is not supported.
As mentioned before, if you use Universal Login Flow and implement passwordless login via Hosted Login Page, you can create longer session for the user via refresh token. In that case, application will be executing Authorization Code Grant flow.
We have opted to use a code instead of a magic link and calling the /oauth/token endpoint to get a refresh token.