How frequently should getAccessTokenSilently be called?

I’m using the Auth0’s React SDK.

All the examples call getAccessTokenSilently just before making the API call. This includes examples that call API in the useEffect() as well as example that call useAPI() hook.

My App has a higher level auth provider and it calls the getAccessTokenSilently to obtain the accessToken and then provides it to all the children components.

I’m wondering if this is a sane strategy or not as opposed to calling getAccessTokenSilently on-demand right before making an API call.

  • Which SDK this is regarding: auth0-react
  • SDK Version: 1.2.0
  • Platform Version: Mac OS X
  • Code Snippets/Error Messages/Supporting Details/Screenshots:
    *Is this a feature request or bug report? No

I was reading in another thread that getAccessTokenSilently() does not make a call to get a new token unless the old one is expired. This is not what I am experiencing. When I looked at the API code, it is checkSession that first checks if the token is valid and then calls getAccessTokenSilently(). However, I am using APIs and need to retrieve the bearer token to put into my header (using Reactjs) and trying to store in memory. Is there an Auth0 API call to retrieve the valid token from memory or localstorage?

1 Like

I’m using cookies to store the accessToken returned from getAccessTokenSilently. I do this in the AuthProvider component I have developed that envelopes the app. Perhaps I don’t need to store it in the cookie and just call getAccessTokenSilently in the AuthProvider’s useEffect().

With my storing the accessToken in the cookie, I’m worried that (putting aside all the security implications for the moment) when the accessToken expires, the only way to discover this event is when one of the API calls fail. And that happens in one of the children components of the AuthProvider that has called the API. In theory, I could signal this condition back to the AuthProvider and have it get a new access Token.

I think the React SDK documentation could be improved around this subject. At this point it feels like a black-box to me.

I’m really hoping that someone from Auth0 support jumps in here and answers my original question. It would be awesome if they could also answer it in the context of using refreshTokens.

So I made myself an access token and decoded it using jwt.io. The “exp” in the payload should be the expiry time of the token, and mine was 24H after issuance. This is NOT official documentation and it could change.