I’m using the auth0-spa-js library and while everything works as expected I noticed that each time I reload the page (e.g. with the browser reload button) a redirect is made to the /authorize endpoint. Since the user still has a valid session no login page is shown. However a new code is generated and then exchanged for a new token.
My question is - is that the expected behaviour? I thought that the token would be stored in-memory in the browser (session storage, etc.) and silently refreshed. But maybe I’m thinking about this the wrong way and this is normal since it is an SPA, i.e. each page reload executes all scripts and the Auth0Client is newly created.