How frequently should getAccessTokenSilently be called?

I’m using the Auth0’s React SDK.

All the examples call getAccessTokenSilently just before making the API call. This includes examples that call API in the useEffect() as well as example that call useAPI() hook.

My App has a higher level auth provider and it calls the getAccessTokenSilently to obtain the accessToken and then provides it to all the children components.

I’m wondering if this is a sane strategy or not as opposed to calling getAccessTokenSilently on-demand right before making an API call.

  • Which SDK this is regarding: auth0-react
  • SDK Version: 1.2.0
  • Platform Version: Mac OS X
  • Code Snippets/Error Messages/Supporting Details/Screenshots:
    *Is this a feature request or bug report? No
2 Likes

I was reading in another thread that getAccessTokenSilently() does not make a call to get a new token unless the old one is expired. This is not what I am experiencing. When I looked at the API code, it is checkSession that first checks if the token is valid and then calls getAccessTokenSilently(). However, I am using APIs and need to retrieve the bearer token to put into my header (using Reactjs) and trying to store in memory. Is there an Auth0 API call to retrieve the valid token from memory or localstorage?

1 Like

I’m using cookies to store the accessToken returned from getAccessTokenSilently. I do this in the AuthProvider component I have developed that envelopes the app. Perhaps I don’t need to store it in the cookie and just call getAccessTokenSilently in the AuthProvider’s useEffect().

With my storing the accessToken in the cookie, I’m worried that (putting aside all the security implications for the moment) when the accessToken expires, the only way to discover this event is when one of the API calls fail. And that happens in one of the children components of the AuthProvider that has called the API. In theory, I could signal this condition back to the AuthProvider and have it get a new access Token.

I think the React SDK documentation could be improved around this subject. At this point it feels like a black-box to me.

I’m really hoping that someone from Auth0 support jumps in here and answers my original question. It would be awesome if they could also answer it in the context of using refreshTokens.

1 Like

So I made myself an access token and decoded it using jwt.io. The “exp” in the payload should be the expiry time of the token, and mine was 24H after issuance. This is NOT official documentation and it could change.

Did they ever get answered? I’ve been using the useAuth0 hook and calling getAccessTokenSilently but noticed that it calls authorize every single time I call it. I (maybe incorrectly) assumed the function stored the token securely after initial retrieval and until expiry?

1 Like

Ignore me, this was answered on another question:

getAccessTokenSilently - new token on each call? - Auth0 Community

also, the docs point out that by default the SDK stores in memory, but this means after a page refresh a call is necessary. The storage option can be changed to store in local storage to survive page refresh but this has to be chosen, and comes with security risks to consider.

Auth0 Single Page App SDK

1 Like