Thanks for your suggestion.
Unfortunately, I don't get to that point in that my initial :grant_type => 'password' access fails before I have a chance to see the refresh token.
Or perhaps I didn't explain what I meant clearly by "refresh the sandbox". By this, I mean deleting and recreating the sandbox from production. In this case, I doubt the refresh token would stay the same before refreshing and after.
But, if I understand this feature correctly, if I ask to authenticate using :grant_type => 'password' access, then the refresh token shouldn't be used for validation.
Or do I not understand OAuth2 correctly here?