diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index cc97dea..9da2f70 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -492,10 +492,6 @@ data:
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
-            # offline_access: heph CLI requests "openid offline_access"; without
-            # this mapping the refresh token is session-bound and hephd's
-            # refresh_token grant 400s once the session lapses (spoke sync dies).
-            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]
           sub_mode: hashed_user_id
           include_claims_in_id_token: true
 
diff --git a/docs/changelog.d/heph-offline-access.bugfix.md b/docs/changelog.d/heph-offline-access.bugfix.md
deleted file mode 100644
index e9721bc..0000000
--- a/docs/changelog.d/heph-offline-access.bugfix.md
+++ /dev/null
@@ -1 +0,0 @@
-Granted the `offline_access` scope on the Authentik `heph` OAuth2 provider so hephaestus spokes receive a durable 30-day refresh token. Previously the refresh token was session-bound, so spoke sync would silently fail with a `400 Bad Request` on the `refresh_token` grant once the Authentik session lapsed.
diff --git a/docs/reference/services/hephaestus.md b/docs/reference/services/hephaestus.md
index 7abc35b..1754ea0 100644
--- a/docs/reference/services/hephaestus.md
+++ b/docs/reference/services/hephaestus.md
@@ -68,17 +68,6 @@ in the [[authentik]] blueprint (`argocd/manifests/authentik/configmap-blueprint.
 - Issuer: `https://authentik.ops.eblu.me/application/o/heph/`
 - Audience / client id: `heph`
 - Restricted to the `admins` group (single-owner, sensitive data).
-- Scope mappings: `openid`, `email`, `profile`, **`offline_access`**.
-
-> **`offline_access` is required for durable sync.** The `heph` CLI requests
-> `scope = "openid offline_access"`, and a refresh token is only issued for the
-> 30-day refresh-token window when the provider actually grants `offline_access`.
-> Without that scope mapping the refresh token is bound to the login **session**;
-> once the session lapses, hephd's `refresh_token` grant returns `400 Bad
-> Request`, the bearer can't be refreshed, and spoke sync silently degrades
-> (`heph sync --status` → `auth_failure: true`). `heph auth login` papers over it
-> until the next session expiry. Keep `offline_access` in the provider's
-> `property_mappings`.
 
 Because no Authentik instance ships a device-code flow by default, the blueprint
 also creates `default-device-code-flow` and binds it to the default brand's