How to verify rotating refresh tokens working correctly

According to docs:

Refresh Tokens are used when useRefreshTokens is set to true when configuring the SDK.

After flicking the option I don’t see any changes in the application or the console. Because this is a pretty important security option - is there a way to verify that it’s working correctly?

Anything I can check client-side / server-side?


If you want to see that a refresh token expires, I’d suggest configuring one of your dev/test tenants with short timeout, getting a refresh token, waiting and trying to exchange it.


Thanks for this. So I gave it a go and I don’t think it’s working.

My actions:

  1. Add this to auth_config.json
"useRefreshTokens": true
  1. In tenant settings for the SPA set Refresh Token Rotation to on, absolute exprimation to 5 and inactivity lifetime to 3.
  2. Log in into the app -> wait for 10 seconds -> I can still do all the actions with no problem. So it seems rotation is not working / token is not expiring?

My setup is Vue SPA on the front end and a Flask API on the backend. The above settings were changed for the SPA, they are greyed out for the api in the tenant.

What am I missing?

I did some further experimentation, specifically:

  1. Set the lifetime value for RT to 1s (SPA dashboard)
  2. Set the lifetime value for AT to 1s (backend api dashboard)

Then indeed I see new calls to authorize (when RT expires) and to oauth/token (when AT expires).

@john.gateley could you confirm if I’m on the right track here?

Btw, if this is indeed correct then enabling token refresh is a more complex process than the docs describe:

  1. add "useRefreshTokens": true to frontend config
  2. enable RT in SPA (frontend) dashboard
  3. enable offline_access in api (backend) dashboard

Docs only mention (1) above. @john.gateley am I getting this right?

(writing this out mostly for my future self and anyone else having the problem)