"Absolute Expiration" doesn't seem to work

SDK: auth0-spa-js@1.18.0
Chrome 95

I want to make our users re-log-in after 24 hours, regardless of activity. I don’t think what I did is working, so I made a test app/api to test and I can’t make my frontend fail properly when it expires. I may be completely misunderstanding the flow.

I have an API in Auth0 called “Expire Test API”. It has “Token Expiration (Seconds) *”: 30 and “Token Expiration For Browser Flows (Seconds) *”: 30. “Allow Skipping User Consent” is on and “Allow Offline Access” is off.

I have an application in Auth0 called “Expire Test”. It is a “Single Page Application”. “ID Token Expiration”: 60, “Rotation” is off, “Absolute Expiration” is on, “Absolute Lifetime”: 60. “Inactivity Expiration” is off. I haven’t changed any of the defaults under “Advanced”.

In the front end I make one instance of the Auth0Client via:

let auth0: Auth0Client | null;

export const getAuth0Client = async (): Promise<Auth0Client> => {
  if (!auth0) {
    auth0 = await createAuth0Client({
      useRefreshTokens: false,
      domain: "the correct domain",
      client_id: "expire app ID",
      redirect_uri: `${window.location.origin}/login_callback`,
      audience: "expire test API audience,
      cacheLocation: "localstorage",
  return auth0;

(I’ve tried useRefreshTokens as true, false, and omitted). When the user enters the app I call auth0.isAuthenticated() and if that’s false I redirect them to the login.

When I do an API call, I do

const auth0 = await getAuth0Client();
let accessToken = await auth0.getTokenSilently({
  ignoreCache: true,


  • After 60 seconds, if I refresh the page, I’m redirected to the login page.
  • I stay logged in without a problem


  • If I log in, then wait over 60 seconds, then call an API, it fails because the token is no longer valid
  • It works without a problem

When I call an API (aka I use getTokenSilently()) after 60 seconds, I can see in the network tab in Chrome that it calls authorize, then it calls oauth/token. How is it able to do that and how do I make it stop?

Hi @dustin-relicx

You create an auth0 session when you log in, and the silent auth checks this session. If it exists, then you get a new access token back without entering your credentials again.

Go to your tenant settings in your dashboard, click the Advanced tab, and go to Login Session Management, and update those.


1 Like