Security Concerns: How to refresh tokens?

I have 2 types of clients:

In both cases, I don’t want the user to relogin (unless after 1 month of inactivity or so), similar behavior to Facebook.

I read the docs, and I understand how to use all Auth0 endpoints. However, I am concerned if they are really secure, and how Auth0 works behind the scenes. I’ll break down into 2 separate questions:

  • For SPAs. I use implicit grants (=accessToken). No refresh tokens, I agree with that. But I don’t understand how Silent Authentication work. This access token I get back, it is short-lived, am I correct? Do I store it in the localStorage? Also, when calling the renewAuth endpoint, how can I be sure that it’s my client app that called it, not a hacker? Is the accessToken appended somewhere in that renewAuth request?

  • For mobile apps. I understood that storing refreshTokens is secure enough. The problem comes with the communication between the server and the mobile app. I understood also how PCKE works. However, my question is: is I use a WebView, and use https (without ever using a custom protocol scheme), I don’t need to implement PCKE, is that correct? Secure communication is secured by SSL.

Thanks in advance.