Refresh Token Used with a Wrong Client ID

Problem statement

When a rotational refresh token is used with the wrong client ID, Auth0 returns the following error:

{“error”:“invalid_grant”,“error_description”:“The client associated with this refresh token (CLIENT_ID_1) is different than the one sent in the request (CLIENT_ID_2).”}

At that point, ​​​​​is the refresh token considered used? Can it be used again with the correct client ID (CLIENT_ID_1)?

Solution

No, this call is not considered a valid refresh token use. The same rotational refresh token can be safely used again with the correct client ID during the configured window when it is valid.

The validity period of the rotational refresh token depends on Absolute and Inactivity expiration settings configured on the application settings.