The Uniqueness of Refresh Token

Problem statement

This article clarifies whether the refresh token is unique and if it can be reused/recycled by Auth0.

Solution

There are 2 types of refresh tokens – the non-rotating refresh token and the rotating refresh token – neither of them is unique technically, but the probability of duplication is considered to be close enough to zero.

It’s similar to UUID (aka GUID) for example, it consists of 128 bits of random data, so technically, it is not unique either; however, they still use a unique ID.

According to this article:

  • “When generated according to the standard methods, UUIDs are, for practical purposes, unique.”
  • “While the probability that a UUID will be duplicated is not zero, it is generally considered close enough to zero to be negligible.”