Retrieve non rotating refresh token using SPA sdk

I am able to retrieve rotating refresh token using auth0 SPA SDK - however using non-rotating refresh token I am unable to retrieve on SPA (using PKCE authorization flow).

I understand the security risk of making non rotating refresh token available to public client (web browser here for example).


  • If I still want to access non-rotating refresh token in my SPA - how can I get it?
  • If SPA is really out of question for this situation, can I retrieve non rotating refresh token using access token and client secret from backend?

I have the user authenticated and authorized to perform API calls in SPA. I want to make non rotating refresh token available to them.

Hi @jmj,

Welcome to the Auth0 Community!

It sounds like you should be issuing the user a set of client credentials as a third party application. More info here: First-Party and Third-Party Applications

1 Like

Thanks @dan.woda - yes I read through other similar post and ended up implementing m2m apps and client credentials.

1 Like

Perfect! Let us know if you have any other questions.

1 Like

Since you are asking :slight_smile: I have other question where I could use your expertise. Username Password connection, organization & signup