What version of the backend / frontend SDKs are you using? > It seems that "refreshSession" is not called somehow That's odd. Do you mean existing sessions are not being refreshed at all after their access token expires? The session has an updateAccessTokenPayload function using which you can change a user's current session's payload. So you would set up an API which is called from the frontend to do this. This would only happen when the user uses the app though. If you want to add the roles in an offline manner, you should loop through all the sessions for the relevant user, and then call the updateAccessTokenPayload on those sessions with the new role. Then when their session is refreshed, their access token will reflect the new role.