Stuck on implementing token refresh for our multi-org AppFoundry integration. The initial POST /api/v2/oauth/token succeeds, but subsequent refresh attempts using the refresh_token grant type return a 401 Unauthorized response with invalid_grant. We are using the standard PKCE flow with client_id and redirect_uri matching the AppFoundry registration. The tokens expire after 3600 seconds as expected. Does the platform require specific scopes like offline_access to be explicitly requested during the initial authorization code exchange for refresh tokens to function correctly across different orgs?