The CI/CD runner keeps bombing out at exactly 03:00 GMT every single night. We’ve got a Studio flow that triggers a webhook to kick off a Terraform deployment, but the pipeline drops a 401 Unauthorized halfway through the resource sync. The initial handshake works fine. First, we POST to /oauth/token with {“grant_type”: “client_credentials”, “scope”: “admin:application”, “client_id”: “svc-acc-123”, “client_secret”: “masked”}. The response always spits back expires_in: 3600. Next, I tried appending offline_access to the scope string. CXone just strips it out on validation. Refresh tokens never show up in the payload either. The documentation mentions long-lived tokens for service accounts, but the actual endpoint behavior doesn’t match. We’re currently patching it with a cron job that re-fetches the token, which feels pretty fragile. Need a way to force a longer expiry window or handle the refresh cycle programmatically inside the pipeline script. The terraform provider just hangs when the access token rolls over during a plan apply.