Were you getting the error on page refresh? If so, using local storage does solve it.
The solution is mentioned in auth0-spa-js/FAQ.md at master · auth0/auth0-spa-js · GitHub, which involves setting useRefreshTokensFallback to true.
If you can not, or do not want to use it, there will be all kinds of reasons the SDK can result in a missing refresh token error and our intent is not to try and avoid these. These are legimate, for example when not using local storage and refreshing the page loses the refresh token, and we are notifying the user about the fact that we have no refresh token. In that case, the solution is:
- enabling the fallback, which would use iframes when there is no refresh token
- login again
You can also persist the token, but we try and avoid recommending persisting the token for security reasons when it’s not strictly needed. On top of that, persisting it will not solve all situations, such as when there is no token found or the token is expired.
If you want us to look into it, please share a reproduction of the behavior you are seeing by opening an issue on the SPA-JS repository, and I am happy to dig into what’s happening and explaining.