RefreshToken is undefined in NextJS


I am using the nextjs-auth0 library to authenticate users in my app. I need refresh tokens for my Auth0 Application, however I am not getting them. I have included my initAuth0 below, which includes the scopes etc I need back. I have confirmed that my application has a grant type of “Refresh Token” enabled, and that absolute expiration is enabled.


		process.env.AUTH0_BASE_URL ||
		"https://" + process.env.NEXT_PUBLIC_VERCEL_URL,
	issuerBaseURL: process.env.AUTH0_ISSUER_BASE_URL,
	clientID: process.env.AUTH0_CLIENT_ID,
	clientSecret: process.env.AUTH0_CLIENT_SECRET,
	secret: process.env.AUTH0_SECRET,
	authorizationParams: {
		response_type: "code",
		scope: "openid profile email offline_access",
	session: {
		rolling: true,
		rollingDuration: 60 * 60 * 24,
		absoluteDuration: 60 * 60 * 24 * 7,

The response I get back has the lines:

  accessTokenExpiresAt: 1699484513,
  refreshToken: undefined,

When I change the scopes in the above code, for example removing profile, it is changed in the returned session.

The way I am checking for the session is:

	req: NextApiRequest,
	res: NextApiResponse,
	session: Session,
) => {
	return session;
export default auth0.handleAuth({
	async callback(req: NextApiRequest, res: NextApiResponse) {
		try {
			await auth0.handleCallback(req, res, { afterCallback });
		} catch (error: unknown) {
			const err = error as { status?: number; message?: string };
			res.status(err.status || 500).end(err.message);

Any guidance would be much appreciated!

Hey @oimtiaz !

I’m not seeing an audience param anywhere, but it looks like you’re receiving an access token so you may be handling that elsewhere. Can you confirm that whichever API identifier you are using as your audience while initializing the SDK has the “Allow Offline Access” option toggled in the API settings in your dashboard?


So, I’m not using an API, but my Auth0 Application itself. When I manually go through the authorization/authentication flow using the Application’s information, I am getting a refresh_token back. When I run through the same flow in my NextJS app, I’m seeing that I don’t get the refresh_token back. I’m very confused why it would work in Postman but not in Next. My Application has refresh token rotation enabled, and the absolute expiration is on (with no option to turn it off).

1 Like

Thanks for sharing!

The API I am referencing is the API for which the access token is intended to use against.

Do you mind sharing how you are going about this manually/in postman? Please redact any sensitive information.

I actually realized I did not need a refresh token, so I have moved away from this approach. Thank you for your help!

1 Like

No problem! Happy to help :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.