diff --git a/services/grafana.hcl b/services/grafana.hcl
index f8c7ae1..d01877b 100644
--- a/services/grafana.hcl
+++ b/services/grafana.hcl
@@ -28,7 +28,7 @@ job "grafana" {
         GF_AUTH_GENERIC_OAUTH_NAME = "authentik"
         GF_AUTH_GENERIC_OAUTH_CLIENT_ID = "E78NG1AZeW6FaAox0mUhaTSrHeqFgNkWG12My2zx"
         GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = "N7u2RfFZ5KVLdEkhlpUTzymGxeK5rLo9SYZLSGGBXJDr46p5g5uv1qZ4Jm2d1rP4aJX4PSzauZlxHhkG2byiBFMbdo6K742KXcEimZsOBFiNKeWOHxofYerBnPuoECQW"
-        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email"
+        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email offline_access"
         GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://authentik.v.paler.net/application/o/authorize/"
         GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://authentik.v.paler.net/application/o/token/"
         GF_AUTH_GENERIC_OAUTH_API_URL = "https://authentik.v.paler.net/application/o/userinfo/"
@@ -37,6 +37,8 @@ job "grafana" {
         GF_AUTH_OAUTH_AUTO_LOGIN = "true"
         # Optionally map user groups to Grafana roles
         GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+        GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN = "true"
+        #GF_LOG_LEVEL = "debug"
       }
 
       service {