Hey @Mark-Buhagiar, let me see if I can help.
-
Yes that’s correct, our rotating refresh tokens have this default absolute expiry of 30 days, after which your users must log in again
-
As long as you can handle the invalid refresh token error, instead of deleting local storage, you should just put your users back through an interactive login flow, either by using
loginWithRedirectorloginWithPopup. This is the only way you can get a new refresh token, but doing this will also refresh your local storage state so that it contains the correct and valid tokens. No need to delete manually.
^ This last point is something we could be doing better at explaining or showing how it’s done, which I will try to solve.
Also your point about Safari is correct - if you do not use local storage, you are then relying on Auth0 being able to read your Auth0 session cookie, which it is unable to do in browsers like Safari and Brave that block third-party cookies by default.
Hope that helps!