Overview
Refresh tokens in Auth0 allow applications to obtain new access tokens without requiring user interaction. However, they can expire or become invalid due to various reasons, causing authentication failures. This article explains common causes and solutions for expired refresh tokens.
Applies To
- Refresh Tokens
- Single Page Applications (SPAs)
Cause
If refresh token rotation is enabled, each token is valid only once. Using an old token results in an error. If the refresh token is not used within the idle lifetime period, it becomes invalid. Refresh tokens expire after a fixed duration, regardless of usage. User logouts, password changes, or security policies may revoke tokens.
Solution
- Handle Rotation Properly - Ensure the application correctly stores and uses the latest refresh token provided by Auth0.
- Monitor Expiry Settings - Adjust idle and absolute token lifetimes in the Auth0 dashboard.
- Implement Expiry Handling - Detect when a refresh token expires and prompt the user to re-authenticate.
- Check Token Revocation Causes - Investigate logs in Auth0’s dashboard (Monitoring > Logs) to identify revocation reasons.
- Use Silent Authentication - If applicable, implement silent authentication ( /authorize with prompt=none) to refresh sessions without interaction.