To be honest, I’m not quite sure what this particular paragraph around an “SPA with a backend” is referring to, I will clarify this internally.
Which seems to gloss over WHERE you store the access token.
Yes, I noted that as well, especially for the Regular Web App and the Native/Mobile App scenarios. I’ve logged this internally for improvement today.
Anyway, from what I understand, you have a SPA and an API you’re protecting which is separate from each other, so the described scenario for SPA without a backend would apply. Therefore, the Silent Authentication approach should work well for you.
How do you get the access token from Auth0 in the first place? Which SDK are you using? It it auth0-js or auth0-spa-sdk (the new SDK)?
(So, I guess you’re either using the Implicit Grant or the Authorization Code Grant with PKCE).