I’m using Auth0’s Refresh Token Grant in a desktop (native) application and have explicitly disabled Allow Refresh Token Rotation in my tenant settings. However, a few users received this error:
What I’ve verified so far:
- Rotation is off in the dashboard under **Applications → My Native App → Allow Refresh Token Rotation
- I’m storing and re-using the exact RT that Auth0 returned on initial authentication.
- No Management API calls have been made to revoke grants programmatically.
Environment Details:
- App Type: Native/Desktop (not SPA)
- Tenant Region: us
- Set Idle Refresh Token Lifetime: Disabled
- Set Maximum Refresh Token Lifetime: 30 Days
- Allow Refresh Token Rotation: Disabled
Questions:
- Could the “Set Maximum Refresh Token Lifetime” setting still be in effect, even though “Allow Refresh Token Rotation” is disabled, and be causing this error after 30 days have passed since the user received the refresh token?