If SPA's don't use refresh tokens, why is there a setting for them?

According to this community discussion, SPA’s don’t use refresh tokens.

So why does my SPA application have a setting for “Refresh Token Lifetime (Absolute)” in the Auth0 application settings?


Hi @dedicatedmanagers,

SPAs didn’t use refresh tokens at the time of that thread…but they can now. With the release of rotating refresh tokens SPAs are able to work with a refresh token, although a different type of refresh token than the non-rotating, non-expiring refresh tokens of old.

It looks like I actually updated that post with an edit mentioning it a while back. I will make sure it is clearer in the thread.

Let me know if you need any more clarificaiton on the subject.



Does the auth0-spa-js use rotating refresh tokens?

If so, where does it store the refresh token?

Specifically, where does it store the refresh token if cacheLocation is set to localstorage within createAuth0Client

1 Like


Using refresh tokens is an option. Storing tokens in LS is also an option.

If cacheLocation is set to LS then refresh tokens will be stored in LS.

This is all outlined in the doc:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.