Calling graphql endpoints with token in header in nextjs


We’re having troubles getting pretty standard user flow with a pretty standard tech stack for web application: nextjs + graphql + auth0.
The problem is that when we want to secure both routes in nextjs via withPageAuthRequired function and graphql endpoints by sending token in header using getAccessToken function from nextjs-auth0 library, there’s a mismatch between how these function see the token: While withPageAuthRequired usually keeps the user logged in for a long time, when trying to call getAccessToken, we usually get an error The access token has expired and refresh token is not available.
I’ve even taken a path to use refresh tokens, but that opened another set of problems, so I am trying to first understand the source of the basic issue: Why aren’t both withPageAuthRequired and getAccessToken considering the token either expired or valid?

Our application settings:
Refresh token rotation: off
Absolute expiration: off
Inactivity expiration: on
Inactivity lifetime: default / whatever sane value (e.g. 24 hours)
ID_token expiration: default / whatever sane value

API settings:
Token expiration: default / whatever sane value (e.g. 24 hours)
Token expiration for browser flows: default / whatever sane value (e.g. 24 hours)
Allow offline access: off

I tried to experiment with a short token expiration times in API settings (e.g. 60 seconds) to simulate the expiration, but withPageAuthRequired still displays the page after this period, the only way to prevent it is to manually log out. On the other hand, getAccessToken follows the expiration time and throws an error about expired token.

Maybe I am missing the connection between API and application and which one is following which settings…? Also it’s not clear if (and then how) the refresh token is used in this setup, since refresh token is supposed to only work when allowing offline access and asking for scope ‘offline_access’. But why there’s option in application settings to set ‘inactivity expiration’, which seems related to the refresh token? Is it even applied in such case?

Seems really confusing since there are many places to set things related to session expiration / prolongation / inactivity etc and the relation between them is nearly impossible to find out.
Also I’d welcome some suggestion how to debug such issues. Can I e.g. find out which expiration time is applied by nextjs-auth0 or exactly which access and refresh tokens are used?

Thank you for any help!

  • Which SDK this is regarding: nextjs-auth0
  • SDK Version: 1.9.0