Quick Successive Client Credentials Calls Return Same Token

Problem statement

If quick successive calls are made to the “/oauth/token” endpoint, it will return the same token (i.e. multiple requests in a second). Is there a way to disable caching on the Auth0 side in order to return a unique token on each request?


The same token returned within the same second for two calls with the same payload.

Steps to reproduce

Call the /oauth/token endpoint with the same payload rapidly (>2 calls in one second).


Check timings on access tokens.


The same token is issued when these requests are processed within the same second because the payload hasn’t changed, and the returned claims are also identical. Most importantly, in this case, the iat and exp claims are the same as the previous call, as they only have a maximum resolution of 1 second.

When the values of these claims change, such as the server processing the request in the next second, then you will get a token with a different payload (as the token was issued at and expires one second later than the previous token), and thus the signature will also change. As the RS256 algorithm is deterministic, the same header and payload will always result in the same signature.


It is recommended to cache tokens, but if a use case requires a unique token regardless of timings on the call for the same payload, add a custom claim GUID on Machine to Machine (M2M) flows to ensure the returned tokens are unique, as this will result in a differing payload regardless of the rate of requests.

Related Resources

Machine to Machine Flow

1 Like