New token on each page reload?

Hi,

I’m using the auth0-spa-js library and while everything works as expected I noticed that each time I reload the page (e.g. with the browser reload button) a redirect is made to the /authorize endpoint. Since the user still has a valid session no login page is shown. However a new code is generated and then exchanged for a new token.

My question is - is that the expected behaviour? I thought that the token would be stored in-memory in the browser (session storage, etc.) and silently refreshed. But maybe I’m thinking about this the wrong way and this is normal since it is an SPA, i.e. each page reload executes all scripts and the Auth0Client is newly created.

Thanks!
Pavel

Hi @pavel.nikolov,

Welcome to the Community!

Sorry for the delayed response.

Yes, this is expected. If the token is stored in memory, then it will be erased when the page is refreshed. A new token is silently requested via a cookie session.

We have more recently released a way to persist a refresh token in localstorage, but a new access token/id token is still requested on page reload.