Refresh token JS

Use OAuth Implicit Code Flow

Not OAuth Authorization Code Flow

When operating pure Client Side.

As you have demonstrated you are doing with your use of Ajax