Overview
This article explains why a failed token exchange event occurs when an older refresh token is reused within its reuse interval, instead of a new token being issued.
Applies To
- Refresh Token Rotation
Cause
This behavior is by design to protect against attacks and enforce token rotation security. With refresh token rotation, only the most recently superseded refresh token is eligible for reuse during the leeway period. When an attempt is made to use an older refresh token (for example, the second‑to‑last token), the system correctly identifies this as a potential security risk. This action triggers security mechanisms that invalidate the entire refresh token family, resulting in a failed token exchange.
For example, consider the following sequence:
- An application uses
refresh_token_1, and Auth0 issuesrefresh_token_2. - The application then uses
refresh_token_2, and Auth0 issuesrefresh_token_3.
If the application then attempts to reuse refresh_token_1, the exchange fails. This happens even if the reuse attempt is within the leeway period because only the most recently superseded token (refresh_token_2) was eligible for reuse.
Solution
To ensure a successful token exchange, the application must only use the most recently issued refresh token for any reuse attempts. Using any refresh token other than the one immediately preceding the current, active token will result in a failed exchange, even if the attempt occurs within the reuse interval.