Inactivity Timeout and Refresh Token Exchanges

Overview

The Session Lifetime Limits documentation mentions the following:

Inactivity timeout: Timeframe (in minutes) after which a user’s session will expire if they haven’t interacted with the Authorization Server. This timeout will be superseded by system limits if it exceeds 4,320 minutes (3 days) for Essential or Professional plans, or 144,000 minutes (100 days) for Enterprise plans.

This article clarifies whether refresh token exchanges count as activity in this context.

Solution

Interaction with the authorization server specifically refers to requests to /authorize, including silent authentication. Refresh token exchanges do not count as an interaction in this context. Therefore, the user session will not remain active if the only activity is refresh token exchanges.

Please note, however, that refresh token exchanges will work regardless of whether the user’s session has expired or not. The application can continue to issue new tokens via refresh token exchange for the user even if the user no longer has a session with Auth0.