Failed Silent Auth errors - 50X per minute

Hi out production app logs show we are getting “Failed Silent Auth” error 50+ times per minute. Anyone know what’s going on? I read some articles about how this can happen if you are using the Auth0 Test Google Developer Key but we are not using Social sign on.


Hi @maxhodges,

Are you still seeing this? There should be more info in the log. Could you post an example log with any sensitive data removed?

how do I know what’s sensitive?

We are getting like 50+ errors every minute!

Hi @dan.woda, here is an example of one of the errors (I replaced anything that looked sensitive, if that stops you from being able to troubleshoot please let us know).

  "date": "2022-10-27T23:10:20.221Z",
  "type": "fsa",
  "description": "Login required",
  "client_id": "QzAysdTw8aSrxJ7eHAagkmfRQa1zRDa4",
  "client_name": "Our Website",
  "ip": "173.225.320.88",
  "user_agent": "Chrome 103.0.0 / Mac OS X 10.12.6",
  "details": {
    "body": {},
    "qs": {
      "client_id": "QzAysdTw8aSrxJ7eHAagkmfRQa1zRDa4",
      "audience": "",
      "redirect_uri": "",
      "scope": "openid profile email offline_access",
      "response_type": "code",
      "response_mode": "web_message",
      "state": "clBlakJjLkdmdEZxVzFZRmh+RjdzTW1aOPEIU2VaRGFhMlZ3WD6SUmJ2Ng==",
      "nonce": "cW43SDieu09DM0VmWVpCb1IUHGluNmRTZDNTdFZGb1BvelNGbnNvMptiuP==",
      "code_challenge": "xWbOJ7lEM8L8nNKfx4poOEIUDYW1xKDm5RneUzVei6w",
      "code_challenge_method": "S256",
      "prompt": "none",
      "auth0Client": "eyJuYW1lIjoiYXV0aDAtc3UiPOpzIiwidmVyc2lvbiI6IjEuMjIuOID9"
    "connection": null,
    "error": {
      "message": "Login required",
      "oauthError": "login_required",
      "type": "oauth-authorization"
    "riskAssessment": null
  "hostname": "",
  "audience": "",
  "scope": [
  "auth0_client": {
    "name": "auth0-spa-js",
    "version": "1.22.1"
  "log_id": "90020221027231023320309716095044678167100918345888694306",
  "_id": "90020221027231023320309716095044678167100918345888694306",
  "isMobile": false,
  "id": "90020221027231023320309716095044678167100918345888694306"


Thanks for the additional data.

This error occurs when the existing session cannot be refreshed. There are a few different things that could be causing it.

Can you tell us more about your implementation? What SDK are you using? Could you please provide a snippet of your code too?


Using @auth0/auth0-spa-js": “^1.22.1”

Here is some of our code that calls auth0 functions. Maybe you can see some red flags. Let me know if you need something else:

// Methods of Auth0 Client that are overriden with custom logic.
const methods = {
  async isAuthenticated() {
    state.isLoggedIn = await client.isAuthenticated()
    return state.isLoggedIn
  async forceRefreshToken() {
    try {
      return await client.getTokenSilently({ ignoreCache: true })
    } catch (error) {
      // eslint-disable-next-line no-console
      return client.logout()
  async checkSession() {
    await client.checkSession()

    if (!state.user && (await methods.isAuthenticated())) {
      await apolloOnLogin()

      const userLoaded = defer()

      const claims = await client.getIdTokenClaims()
      const customClaims = claims[''] || {}
      const impersonateAsId = customClaims['impersonate-as-id']
      const impersonateById = customClaims['impersonate-by-id']

            ? {
                query: CurrentUserImpersonated,
                variables: { impersonate_as_id: impersonateAsId },
            : {
                query: CurrentUser,
                variables: { auth_id: claims.sub },
          next: async ({ data: { users } } = {}) => {
            const [user] = users as User[]
            if (!user) {
              if (userLoaded.status === 'pending') {
                userLoaded.reject('User not found')

              return null

            debugLog('Self user refresh', user)

            if (state.user && state.user.role !== user.role) {
              // Force reload token when role changes
              await methods.forceRefreshToken()

            state.user = camelCaseObject(user) as User
            state.user.isStaff = isStaff(state.user)
            state.user.impersonatedById = impersonateById

            if (userLoaded.status === 'pending') {
          error: (error) => {
            if (userLoaded.status === 'pending') {
            } else {
              // eslint-disable-next-line no-console
              console.error('subscription:error', error)

      try {
        await userLoaded.promise
      } catch (error) {
        // eslint-disable-next-line no-console
        console.error('Could not get self user:', error)

    state.loading = false
    return state.user
  async loginWithPopup(
    options?: PopupLoginOptions,
    config?: PopupConfigOptions
  ) {
    state.popupOpen = true

    try {
      await client.loginWithPopup(options, config)
      await methods.isAuthenticated()
      state.error = null
    } catch (error) {
      state.error = error
    } finally {
      state.popupOpen = false
  async handleRedirectCallback(url?: string) {
    state.loading = true
    try {
      await client.handleRedirectCallback(url)
      state.isLoggedIn = true
      state.error = null
    } catch (error) {
      state.error = error
    } finally {
      state.loading = false
  async logout(options: LogoutOptions | undefined) {
    await apolloOnLogout()
  getCachedSession() {
    return localStorage.getItem(SESSION_CACHE_KEY)
  setSession(session: string) {
    return localStorage.setItem(SESSION_CACHE_KEY, session)

Thanks for the added context. Here are a few more questions:

  • Does every user cause a failed silent auth error/s?
  • When you log in with a test user are you seeing these errors?

It may be helpful to provide a HAR file of the transaction (you can send it to me in a DM).

@dan.woda thank you for the follow up!

  • This does not happen with every user
  • I am not able to replicate with a test user

I sent the HAR file to you, although it was not generated when the issue occurs.

Can you match the IP of the failed silent auth requests to the request of a specific user?

Hi Dan,

Sorry for the late reply. There is no way to tie the user to the IP address. It seems that the user might not even be signed up yet.

We noticed that within a certain time period the requests come from the same IP address. There are many every second. Eventually the IP address changes.

We do have Suspicious IP Throttling and Brute-force Protection enabled. Shouldn’t those block an IP that fails to login repeatedly?

Edit: oh we also updated to use the 2.0 SPA SDK a couple days ago. From 1.22.1. These failed login attempts are still using 1.22.1, so that seems fishy.