The user is logged out after one hour despite the use refresh tokens

We’re seeing users get disconnected after roughly one hour, even though we use refresh tokens every 10 minutes.
To meet security standards, we enabled refresh token rotation.

Our assumption was that refresh tokens could renew the access token (session) indefinitely. However, this doesn’t seem to be the case given our application settings:

Maximum ID token lifetime: 3600 seconds
Idle refresh token lifetime: 900 seconds
Maximum refresh token lifetime: 3600 seconds

Our hypothesis is that the session expires after 3600 seconds (the maximum refresh token lifetime), even if we continuously rotate and refresh the token.

Are we missing something, or is this understanding correct?
If so, setting the maximum refresh token lifetime to 31,557,600 seconds (1 year) on a device that stays continuously connected would effectively allow a one‑year session without requiring the user to log in again.

Hi @Alex.the.seal

Welcome to the Auth0 Community!

You are correct. With Refresh Token Rotation, the Maximum Refresh Token Lifetime is an absolute cap for the entire refresh token family. Once that limit is reached, the family can’t be used to get new tokens, even if you’ve been rotating regularly. Rotation helps with security, but it doesn’t extend the absolute lifetime.

If you raise the Maximum Refresh Token Lifetime (up to 31,557,600s = 1 year) and keep rotating before the idle window elapses, users can continue exchanging RTs for new ATs without re-logging in until that absolute limit is reached.

Thanks, and feel free to post if you have any additional questions!
Dawid