We have a pretty simple website, React frontend and .NET core on the backend. We are using Auth0 and setup JWT bearer authentication.
If we go to the website (https://mywebsite.com), it will either bring us to the auth0 login screen or pass us through to the app with cached creds. From the website we can then navigate to a page, https://mywebsite.com/Object/1. That page makes a request to the backend for data.
I can see in that request that the bearer token is included in the request.
If I were to just refresh that page now, it will make the same request and will come back with a 401. I can see by examining the request, when I refresh the page, it does not include the bearer token.
This is expected behavior as auth0-react stores tokens in memory by default and therefore not persisted across page reloads. You can look into using getAccessTokenSilently when calling your API to work around this: