Hi @praskatti,
The React SDK stores the tokens in app memory by default. You can instead use local storage by adding cacheLocation="localstorage" to your Auth0Provider component, but there are security considerations with that method which you can read about here:
The Refresh Token will be returned to your app if:
- You API is configured to allow offline access: Register APIs
- The
Auth0Providercontains the offline_access scope:scope="offline_access" - The app is configured to allow refresh token rotation
The SDK will generate a nonce and send it with the oauth/authorize request when you call loginWithRedirect():
