Hello @viktorvsk. The reason the default for RTR is set to disabled for Native Apps is merely to avoid a change in behavior for customers (adding refresh token rotation) that expect Native Apps to not rotate those tokens. So the only new behavior we introduced here were the default expiration settings. We set the default rotation behavior for SPAs to enabled because previously we did not allow refresh tokens to be used in SPAs, so enabling this by default sets the correct/secure behavior that complies with recommended security best practices.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Inconsistency around the rotating refresh tokens | 1 | 946 | June 15, 2023 | |
| When does a refresh token become invalid? | 3 | 2389 | July 12, 2022 | |
| What does Inactivity Lifetime do for Refresh Tokens in Rotation given that the Refresh Tokens are single use | 0 | 296 | February 23, 2024 | |
| Disabling refresh token rotation > impact? | 3 | 1016 | March 6, 2023 | |
| Receiving “Token could not be decoded or is missing in DB” even with refresh token rotation disabled | 1 | 23 | May 22, 2025 |