isAuthenticated$ return false

We have Angular App which we wrapper in Ionic. In guard class we check if user is authenticated by checking isAutheticated$. Eventhough the user just authenticated the isAuthenticated returns false. Next time it returns true and stays like that. We’ve pretty much followed the example from auth0 site, except there is no guard class there.
We have custom domain on production instance configured and we use refresh tokens and we really run out of ideas :frowning:

this is my auth guard class

export class AuthGuard implements CanActivate {

  constructor(private auth: AuthService, private router: Router, private configService: ConfigService) { }

  canActivate(next: ActivatedRouteSnapshot, state: RouterStateSnapshot): Observable<boolean> {
    return this.auth.isAuthenticated$.pipe(
      tap(loggedIn => {
        if (!loggedIn) {

  private login() {
        async openUrl(url: string) {
          await{ url, windowName: '_self' })
          error: err => console.error('Error triggering login', err)


this is how we listen for authentication browser events in the main app component

    async initAuth0Listener() {
        App.addListener('appUrlOpen', ({url}) => {
            // Must run inside an NgZone for Angular to pick up the changes
   => {
                if (url?.startsWith(callbackUri)) {  // || url?.includes('')
                    console.debug('callbackUri '+ callbackUri);
                    console.debug('url '+ url);
                    if (url.includes('state=') && (url.includes('error=') || url.includes('code='))) {
                            mergeMap(() => {
                                console.debug('inside handle redirect callback');
                                this.router.navigateByUrl('/learning', {replaceUrl: true});
                                return Browser.close();
                    } else if (url.includes('callback')) {
                        this.router.navigateByUrl('/callback', {replaceUrl: true})
                    } else {

and this is Auth0 client config

onst config: AuthConfig = {
    authorizationParams: {
        redirect_uri: '',
        audience: environment.auth.audience
    // For using Auth0-Angular with Ionic on Android and iOS,
    // it's important to use refresh tokens without the fallback
    useRefreshTokens: true,
    useRefreshTokensFallback: false,
    cacheLocation: 'localstorage',            
    // The AuthHttpInterceptor configuration
    httpInterceptor: {
        allowedList: [ 
                uri: `https://${ environment.auth.domain }/api/v2/users/`,
                tokenOptions: {
                  authorizationParams: {
                    audience: `https://${ environment.auth.domain }/api/v2/`,
                    scope: 'read:users',


here’s the screencast with the strange isAuthenticated$ behaviour

Hey there @lukaszkorona !

Please check this capacitorjs’ doc out - Storage | Capacitor Documentation to reference the local storage setting and its alternatives.

Particularly this statement may be somehow explanatory:

Local Storage can be used for small amounts of temporary data, such as a user id, but must be considered transient , meaning your app needs to expect that the data will be lost eventually.

An assumption could be that the app is able to successfully reach the local storage for an existing refresh token (to exchange it for a new access token) on a “best effort” basis.

Sorry I don’t understand what you mean. Seems the local storage is a good option for refresh token. Do you think diffrently?

I also don’t understand how could we use those other option you mentioned. We simply configure auth0 client with checkLocation parameter. What else we could do here to use the refresh tokens?