The error message you are seeing:

json {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The refresh token is malformed or not valid."}

indicates that the refresh token provided in your request is either invalid, expired, revoked, malformed, or does not match the client or redirect URI. Possible causes based on Ory documentation: 1. Refresh Token is Expired or Revoked: Refresh tokens in Ory are single-use and become invalid after being used once (refresh token rotation). If you try to use the same refresh token more than once, or if it has expired, you will get this error. Make sure you are always using the latest refresh token issued by the server and not reusing an old one. Also, by default, refresh tokens last for 30 days, but this can be configured. The maximum age is 6 months, after which they must be rotated. [OAuth2 refresh token grant](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#refresh-token-rotation-and-security-protections) 2. Malformed or Invalid Token: If the refresh token is not correctly formatted or has been tampered with, Ory will reject it as invalid or malformed. Ensure you are passing the token exactly as received from Ory, without any modifications or truncation. 3. Client or Redirect URI Mismatch: The refresh token is bound to the client and, in some cases, the redirect URI. If you are using a different client or redirect URI than the one used to obtain the refresh token, the request will fail. Double-check that you are using the correct client credentials and redirect URI. [Hydra debug: Refresh Token flow fails](https://www.ory.sh/docs/hydra/debug#refresh-token-flow-fails) 4. Replay of Refresh Token Grant: If your application makes multiple requests with the same refresh token (e.g., due to race conditions or retries), Ory will invalidate the token after the first use, and subsequent requests will fail. [OAuth2 is Difficult in Some Use Cases](https://www.ory.sh/blog/oauth2-openid-connect-do-you-need-use-cases-examples) Potential Fixes: - Always use the latest refresh token returned by Ory after each refresh operation. - Ensure the refresh token is stored securely and not accidentally reused. - Verify that the client ID and redirect URI in your request match those used to obtain the refresh token. - Check that the refresh token has not expired or been revoked. - If you suspect a race condition, implement logic to ensure only one refresh request is made at a time. If you continue to experience issues, you may want to inspect your client configuration and logs for more details, or switch to development mode for more verbose error messages as described in the Ory Hydra debug documentation. If you need more specific troubleshooting, please provide details about your client configuration and the flow you are using.