Problem statement
What happens to the existing non-rotating refresh tokens when the rotational refresh token option is enabled for an application?
Solution
When the application’s rotational refresh token option is enabled, the first refresh token call using any existing non-rotating refresh token creates a new rotating refresh token. From then on, all the non-rotating refresh tokens issued for that particular API are invalidated.
If Auth0 has issued refresh tokens for multiple APIs for the user, the non-rotating refresh tokens issued for other APIs are still valid, and the same rule applies.