Auth0 Home Blog Docs

Obtaining refresh token along with access token in a SPA



I am using jquery SPA client for getting access token that i will use to access an ASP.NET Core Web API(API is also client of my auth0 domain).
I am able to get access token and access secure API resources with that access token.
Now i also want to get refresh token along side access token so that i can renew my access token with help of refresh token.

Here is what my Auth0lock options are:

var options = {
  response_type: 'token',
  auth: {
    params: {
      scope: 'openid offline_access profile',
      audience: 'audience',
      device: "my-device"

What should i do it get refresh token ?


Storing refresh tokens in browsers is not a recommended thing to do. You can research online and I’m sure you’ll find a lot of information that explains this situation.

The recommended approach to continually obtain new tokens in SPA’s is to leverage the existence of a session in the authorization server. In general:

  1. The user accesses your application for the first time and as such is asked to authenticate in order for tokens to be returned to the application; in this step a session can be established at the authorization server that issued the tokens.
  2. When the initial tokens expire the client makes another request to the authorization server in order to obtain new tokens; if a session was established in the first step then new tokens can be returned without the user having to input credentials again.

You can read more about how to accomplish the above scenario in:

At this time, the above implies that you go through the Auth0 hosted login page so that the session can be correctly established.