Issue while requesting for accesstoken that contains refreshtoken too


I am trying to build a feature to request an Auth0 token that includes a refresh token in the response. The idea is to have a native Auth0 application for mobile login, and then use the refresh token to get a new access token from the backend (Machine to Machine Auth0 app). However, I encountered the following error:

The client associated with this refresh token (ksOb6....98fn9IQJwvv7i) is different than the one sent in the request (GNtkD4.......hDEymRVNXmB9).

I understand that the refresh token should be requested under the same app.

My question is: How should the refresh token be used in this case? Is the only way to request a new access token for the mobile to perform the refresh token request on the same native app that was used for the initial authentication?

Or is it possible from the accesstoken to get the refreshtoken (i highly doubt it, since it could be reused if someone leaks the accesstoken, and that means like having it’s password 100%).

Thank you.

Hey there @r.paja welcome to the community!

Yes, you are correct in that refresh tokens should only be used within the application they were issued to.

It is not possible to get a refresh token from an existing access token - Ensure your initial authentication request includes the offline_access scope to get a refresh token.

Once a refresh token is returned, the mobile SDK you are using should handle the refreshing of tokens for you. Android CredentialsManager for example: