Can I save Refresh Token into localStorage if `Refresh Token Rotation` is enabled?

Hi @tamuhey,

Welcome to the Community!

Yes. With the re-use detection capability of RTR they can be stored in localstorage. If you aren’t currently using auth0-spa-js SDK, I would recommend taking a look to see if it fits your use-case:

https://auth0.com/docs/libraries/auth0-spa-js#use-rotating-refresh-tokens

If a non-rotating refresh token was compromised in an xss attack an attacker could make requests with this token without any automatic mechanism for detecting and revoking the token. RTR adds a mechanism for automatically revoking a token that is compromised. This is explained at length in our blog:

The added security of RTR comes from their rotating nature, not just their lifetime. This prevents a token from being used simultaneously by an attacker and an authenticated user. More on that in the blog I linked.

1 Like