Passwordless SMS Embedded Login Flow

Hi all,

I’m using Auth0 for the first time and am trying to get a grasp for the general auth flow I should be following for my mobile application. I’ve been having trouble setting up Passwordless Embedded Login using the React Native SDK, so I’m now using the Authentication API (i.e. /passwordless/start, /oauth/token).

I am able to send an SMS code to my device, verify the code, and produce an access token and refresh token and I am storing using the React Native Secure Key Store package. I’m not sure what to do from here. Should I be hitting /oauth/token everytime the app launches to get a new access token with my refresh token? How do I know if my access token is expired? I have an internal API I’m wanting to pass access tokens to, but I’m not sure how to know when the stored access token needs refreshed or not.

Any input on what the general flow should look would be appreciated!

In the response you receive from the token endpoint (/oauth/token) you should have a parameter called expires_in which will be the expiration in seconds of the received access token so you can use that to roughly calculate the expiration date time.

Having said that your application should always be prepared to receive an unauthorized response from the API and may treat that as a sign that the access token may have expired and proceed to try to renew the token once you receive an unauthorized response.

In other words, it should not be required for you to use the refresh token on every application load and is likely better to use the expires in or an unauthorized response from the API.

Perfect, that’s what I needed to know. Thank you!