Auth0 management API issuing refresh tokens

Get Help
,
1

Hello.

It has been reported multiple times on this forum that the auth0 management API cannot issue refresh tokens and offline access cannot be enabled for it.

And so on.

However, we have observed the following in our logs:


{
  "date": "2025-05-20T16:06:44.588Z",
  "type": "sertft",
  "description": "Successful Refresh Token exchange",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_t9CTvZ26ABENH2lf",
  "client_id": "our client id",
  "client_name": "ourclient",
  "ip": "...",
  "client_ip": "...",
  "user_agent": "Mobile Safari UI/WKWebView 0.0.0 / iOS 16.7.11",
  "details": {
    "tokenCounter": 1,
    "familyId": "b880pNBtVUw-oebW2pv3dQ",
    "actions": {
      "executions": [
        "ZTK7_KS3Iq9E9YvQlKSeHZQhMjAyNTA1MjBjG4WUX1FCn7WMJYNMeSL8"
      ]
    }
  },
  "user_id": "...",
  "user_name": "...",
  "audience": "https://ourtenant.auth0.com/api/v2/",
  "scope": "openid profile email offline_access",
  "auth0_client": {
    "name": "@auth0/auth0-angular",
    "version": "2.2.3",
    "env": {
      "angular/core": "15.2.10"
    }
  },
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "90020250520160644605136000000000000001223372132150939317",
  "tenant_name": "ourtenant",
  "_id": "90020250520160644605136000000000000001223372132150939317",
  "isMobile": true,
  "id": "90020250520160644605136000000000000001223372132150939317"
}

And we aren’t sure how this is possible. Any insight you can offer is much appreciated.

3

Hi @bryceb

Thank you for reaching out to us and for providing the details!

Please allow us some time to look into the matter and we will be back as soon as possible with more information.

Best regards,
Gerald

4

Hi @bryceb

I am sorry about the delayed response to your inquiry!

From what I understand in the log you have provided, it appears that your application seems to be the one providing the refresh token to the user. As mentioned in the above posts, the mentioned options are not available for the default API created by the Dashboard.

These options are only available for an API you would register within the dashboard. As mentioned there:

If this setting is enabled, Auth0 will allow applications to ask for Refresh Tokens for this API.

For the Management API, there is a single token which is exchanged with the application which can expire.

If you have any other questions, let me know!

Kind Regards,
Nik