iOS App refresh token expectations

We are utilizing refresh tokens in our iOS app and encountering errors when refreshing through CredentialsManager. Our logs indicate around 10k errors per day at around 1~2% error rate per dau.

The majority of the errors report The credentials renewal failed. CAUSE: Unknown or invalid refresh token. Our remote logs indicate that refresh token reuse is common. The refresh token leeway is set to 3 seconds.

We’ve verified best practices are followed when integrating with the iOS Auth0 SDK such as:

  • Calling store method once on user login
  • Verifying that only a single instance of CredentialsManager is initialized
  • Using the latest version of Auth0 SDK with thread-safe version of CredentialsManager

My question are:

  1. What’s the acceptable rate of errors when utilizing refresh tokens?
  2. What’s the recommended refresh token reuse leeway configuration?
  3. How to best respond to token errors. In our app currently, the response to any token refresh error is logging the user out of the application and requiring the user to re-login which can cause users to drop off the app.