Null Refresh Token with Embedded Lock and Implicit Flow

Problem statement

When using Embedded Login with Lock.js to start an Implicit Flow to log the user in, the returned payload is showing the Refresh Token as ‘null’ in the authResult object. According to the following documentation the authResult object should contain a Refresh Token:

The authenticated event listener has a single argument, an authResult object. This object contains the following properties: accessToken, idToken, state, refreshToken and idTokenPayload.


The Implicit Grant Flow does not support Refresh Token issuance, therefore the ‘null’ value being returned by the Lock.js library is to be expected. This is mentioned in Auth0’s documentation on the Implicit Flow here:

Refresh tokens will no longer be returned when using the Implicit Flow for authentication.


The Implicit grant will never return a Refresh Token, regardless of the library used to interact with the Auth0 Authentication API. If a Refresh Token is needed, consider migrating to the Authorization Code Flow with PKCE which will enable that token type to be issued.