Overview
This article aims to clarify the concept of refresh token rotation in Auth0, specifically addressing the common confusion around the absolute expiration of refresh tokens.
Applies To
- Refresh Tokens
- Refresh Tokens Rotation
Solution
There is a common misunderstanding regarding how the absolute expiration of refresh tokens works in Auth0. When a refresh token (RT) is refreshed, its absolute expiration is not extended. This means the configured expiration time (e.g., 4 minutes) is valid from the first creation time plus the configured duration.
Key Points:
- The absolute expiration of a rotating refresh token is defined at the time of its creation and does not change, even when the token is exchanged for a new one.
- The process of refreshing tokens (using RT token to get access (A) and refresh (RI) tokens) does not affect the absolute lifetime of the refresh token.
For more detailed information, refer to the Configure Refresh Token Expiration documentation.
By understanding this, developers can better manage token lifetimes and ensure their applications handle token expiration correctly.