There’s never a refresh token in a SPA scenario.
Yet there’s a knowledge article on Auth0 about using Refresh Tokens with SPAs:
Auth0 recommends using Refresh Token Rotation which provides a secure method for using Refresh Tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.
Why the discrepancy? (or am I misunderstanding something)