Use refresh_token from native app (received through passwordless)


I have a native app with a fully custom UI that uses passwordless via SMS for sign up and authentication.

I have that working by POSTing to /passwordless/start to trigger the sending of the code over SMS, and once the user enters the received code in the app I authenticate them with a POST to oauth/token sent with a grant_type of and include offline_access in the scope.

This works great in that I get back the access_token, id_token and refresh_token. No problems there.

Where I’m stuck is on using the refresh_token.

I tried POSTing to oauth/token with a grant_type of refresh_token and all the other required fields as detailed in the docs at but I get an error:

{ error: 'access_denied', error_description: 'Unauthorized' }

So the fact that that isn’t working is my first problem that I’m hoping someone can help with.

My second concern is that this approach to using the refresh_token requires having the client secret in the native app which seems like a security risk.

Is there a better way to make use of the refresh token from a native app?