Invalid_grant (Unknown or invalid refresh token)" Error When Using Refresh Tokens in Next.js App

Get Help
,
1

Problem Summary

I’m integrating Auth0 into a Next.js application (using [@auth0/nextjs-auth0] and occasionally encounter the following error when attempting to refresh the access token:

pgsql

CopyEdit

Error: The request to refresh the access token failed. CAUSE: invalid_grant (Unknown or invalid refresh token.)

This prevents my application from obtaining a new access token and results in users being logged out or forced to log in again.

Environment

  • Framework: Next.js (app directory, server-side functions)
  • Auth0 SDK: @auth0/nextjs-auth0 (edge or nodejs runtime) [Specify which you’re using]
  • Auth0 Application Type: [Single Page Application / Regular Web Application]
  • Refresh Token Rotation: Enabled
  • “Allow Offline Access”: Enabled in Application and API
  • Scopes Requested: openid profile email offline_access
  • Audience: [your audience here]
  • Hosting Provider: [Vercel/AWS/Other]

Steps to Reproduce

  1. User logs in through Auth0 login page.
  2. Application requests tokens with offline_access scope.
  3. After a period of time (once the access token expires), the app/server attempts to use the refresh token to get a new access token (via getAccessToken).
  4. The error appears:

pgsql

CopyEdit

Error: The request to refresh the access token failed. CAUSE: invalid_grant (Unknown or invalid refresh token.)

What I’ve Checked

  • Confirmed that “Allow Offline Access” is enabled in both the Application and API.
  • Confirmed that refresh token rotation is enabled.
  • Confirmed that my login request includes the offline_access scope.
  • Observed that the refresh token is present in the session after login, but becomes invalid after some time or on token refresh.
  • Using getAccessToken() to obtain the access token on the server.
  • [If relevant:] I am using the Edge runtime for some API routes.
    (Note: I’ve learned that session updates might not work properly in Edge runtime, which could be related.)

Questions & Help Needed

  • Is there an official recommended way to handle refresh tokens in Next.js, especially with the Edge runtime?
  • What are common pitfalls that can cause refresh tokens to become invalid unexpectedly?
  • Is this expected if users log out on other devices, or is there a best practice for session refresh and handling invalid_grant errors?
  • Should I avoid the Edge runtime for routes that handle authentication/session logic?

Relevant Code Snippets

import { getAccessToken } from "@auth0/nextjs-auth0";

// ...in my server-side function
try {
  const { accessToken } = await getAccessToken();
  // use accessToken
} catch (err) {
  console.error("Auth0 token error:", err);
  // handle error (usually redirect to login)
}

Additional Context

  • I’ve noticed that switching to Node.js runtime seems to alleviate the issue in some cases.
  • I want to provide the best, most seamless user experience with silent token refreshes when possible.

Any guidance or best practices would be much appreciated!
Thank you in advance for your help.