Prevent SPA JS SDK from doing iframe-based silent authentication

Problem Statement

When a SPA JS SDK is used with Refresh Token support (useRefreshTokens: true), the SDK will still fall back to iframe-based silent authentication using the Auth0 session if the Refresh Token exchange fails. We want to avoid that and rely on Refresh Token exchange only.

Cause

This behavior happens by design in the SDK.

Solution

To avoid this fallback, you can set the useRefreshTokensFallback option to false in the SDK constructor. Eg:

auth0 = new Auth0Client({
  // ... other configuration
  useRefreshTokensFallback: false
});

This feature is available only in SPA JS SDK versions 1.22.0 upwards.