Could use a hand troubleshooting this persistent issue with token refresh for a multi-organization integration deployed via AppFoundry. The application uses the PKCE flow to authenticate users across multiple Genesys Cloud orgs. While initial token acquisition works seamlessly, the refresh token mechanism fails intermittently after the access token expires.
The client receives a 400 Bad Request with the error code invalid_grant when attempting to exchange the refresh token at /oauth/token. This occurs specifically when the user has been inactive for more than 60 minutes. The integration is configured with the correct scopes (openid, profile, email, and custom API scopes), and the refresh token is stored securely in the client-side session.
We have verified that the refresh token is not being reused and that the request payload matches the documentation. The issue seems to correlate with the token’s expires_in value, but we are unsure if there is a stricter window for refresh attempts in a multi-org context. Has anyone encountered similar behavior with PKCE refresh flows in AppFoundry apps? Any insights on handling token expiration for distributed orgs would be appreciated.