Hey there @emrose11 welcome to the community!
There are 3 things you need to do to enable your Angular app to use refresh tokens:
-
Be sure the registered API for which you are passing the identifier as the audience param has “Allow Offline Access” enabled in the API’s settings in your dashboard. In the sample application you set the audience param in auth_config.json.
-
Turn on refresh token rotation for the relevant SPA application in your dashboard.
-
Set
useRefreshTokens: truein your AuthConfig. Here’s a working example app. If you’d like to test, go to /sample-01 and follow the steps to get it up and running in your environment.
For testing purposes I recommend setting a short lived access token lifetime in your API settings. With the app up and running, log in, wait until the access token has expired (60 seconds for example), navigate to the “external api” page, and click “ping api”. Assuming your access token has expired, this will kick off a refresh token exchange using the stored refresh token. You can verify this is all successful by navigating to monitoring → logs and looking for a successful refresh token exchange.