Ignore me, this was answered on another question:
getAccessTokenSilently - new token on each call? - Auth0 Community
also, the docs point out that by default the SDK stores in memory, but this means after a page refresh a call is necessary. The storage option can be changed to store in local storage to survive page refresh but this has to be chosen, and comes with security risks to consider.