I’d also love to know how to achieve this. I had gotten the impression that Refresh Tokens were the answer to the safely maintaining sessions problem. After you enabled these on the API project, the SPA project, and the Auth0 JS client then calls to getTokenSilently would simply “work”.
Do I have this wrong?