How do I correctly to handle silent token refresh for multi-tenant AppFoundry applications when the standard authorization code flow returns a 401 Unauthorized error during the refresh_token grant type exchange? We are deploying a premium analytics dashboard across multiple Genesys Cloud tenant organizations, leveraging the Partner Portal architecture to manage centralized OAuth credentials. The application uses the Genesys Cloud Node.js SDK version 4.12.0 and implements a custom middleware layer to intercept API calls and validate token expiration headers. In our staging environment, which mimics production traffic patterns with high-concurrency requests, we observe intermittent 401 errors specifically when the refresh_token endpoint (/v2/oauth/token) is invoked for tenants that have not been active for more than 24 hours. The error response body indicates that the refresh token has been revoked or expired prematurely, despite our implementation of the recommended refresh-before-expiry strategy using a 5-minute safety buffer before the access_token expiration timestamp. We have verified that the client_id and client_secret stored in our secure vault are correct and that the redirect_uri matches the registered configuration in the AppFoundry console exactly. Additionally, we have enabled detailed logging on the Genesys Cloud side, but the audit logs do not provide sufficient granularity to determine whether the token revocation is triggered by a security policy change, an administrative action, or an internal system cleanup process. We are considering switching to a device authorization flow for initial setup, but this introduces significant friction for our enterprise clients who expect seamless single sign-on experiences. Given the constraints of the Partner Portal architecture and the need for automated, unattended token management, what is the most robust pattern for detecting and recovering from these premature token revocations without disrupting the user experience or triggering rate limit penalties on the OAuth endpoint?