How do I maintain the Auth0 session on the device that displays the authorization URL? It does successfully get the session using webAuth.checkSession if I do it within the same browser, which leads me to believe it isn’t possible for a phone to login and the device to store that session.
Hi @brgzingler ,
I understand you’re trying to maintain an Auth0 session across different devices - specifically between a phone where the login happens and another device that needs to maintain that session.
You’re correct in your observation. This is fundamentally challenging because:
- Auth0’s
checkSessionworks within the same browser context because it relies on browser cookies/storage - The authorization flow happening on the phone creates a session specific to that device/browser
But I am curious to know, what use-case or experience you trying to solve?
@sumansaurav I am trying to create a QR code login flow for a display that is running a web app. When users login on their device, I want the session to persist on the display, ideally across subdomains as well meaning we would need cookies. I was hoping for some sort of function in the auth0 SDK to exchange the access token to create a session, but so far my solution has been to just store the id_token, expires_at and refresh_token in local storage, and then just check expires_at to see if the users session is over. When it is over, I use rotating refresh tokens to create a new session. I am not sure if local storage is the correct option for this however.
Hi @brgzingler ,
If I am understanding correctly, you are trying to implement Client-Initiated Backchannel Authentication Flow.
Look at this documentation and let me know if this fits your use case.
I’m not sure this is quite what I am looking for. This isn’t for a mobile app so I have no way of sending push notifications; there must be a QR code that the user can scan with a device to authenticate when the user presses sign in on the display, similar to how Roku apps authenticate. This is confusing to me because there is surely a way to do what I’m trying to do with the Device Authorization Flow. The only difference is that I am doing it on a website in the browser, not in an app. Thank you for the response, though!
Hi team!
This is a heads-up that we’re hosting an Ask Me Anything (AMA) session dedicated to Auth0 sessions, refresh tokens, and the Management API. Our product experts will be on hand February 12, 2025, from 8 AM to 10 AM PST to answer all your questions—no matter how basic or advanced they may be! You can submit your queries anytime from now until February 11, and we’ll provide detailed written answers during the live event.
This is a fantastic opportunity to learn best practices around session management, refresh token rotation, and the Management API. Plus, everyone who participates gets points and a special badge just for joining in on the fun. 
If you have any burning questions (or even casual curiosities!), feel free to drop them in this thread. We can’t wait to see what you’re working on and how we can help you optimize your Auth0 setup. See you there!
Auth0 Community Ask Me Anything: Auth0 Sessions and Refresh Tokens