The Unknown or invalid refresh token error message indicates that Auth0 is failing to recognize the refresh token for some reason, so either a valid token is not being transmitted somehow (in these circumstances, maybe you’re somehow sending garbage, or it’s missing or truncated or padded with extra characters or quotes) or a valid token is being transmitted but Auth0 is refused to recognize it (because it expired or was revoked).
It’s unclear to me from the context where this token is coming from, although the Other 0.0.0 value for user agent suggests that you’re making this call from the server-side. The fact that you’re using userSession?.refreshToken suggests to me that userSession could be null/undefined in some circumstances, which would pass "undefined" as the token value and definitely lead to this type of error. I would highly recommend that you restructure this logic to check for a valid userSession and non-empty refreshToken and to throw your own error immediately rather than fruitlessly calling Auth0 with a missing token.
If you find that this error persists even after you are certain that the refresh token is non-empty (and presumably valid), then the only other thing that comes to mind is that somehow your refresh tokens are getting revoked, either through user logout or possibly you’re hitting the 200 maximum number of refresh tokens per user.
And also I didn’t really get your point related to token being reused can you please elaborate? I want to add that I am having the same result whether with refresh token rotation on or off
I was specifically referring to refresh token rotation errors and that would have manifest with a different error and type (ferrt), so apparently that’s not your issue.