Hi @dfleming,
Thanks for reaching out to the Auth0 Community!
First, let me clarify that the Token Length should not have any effect on the user not being prompted to provide their credentials to log in.
The Success Exchange and Success Login logs you mentioned suggest to me that the user must have logged in without being prompted for their credentials by successfully exchanging a Refresh Token for an Access Token.
To be sure, could you please confirm if the description of your Success Exchange logs states “Successful exchange of Refresh Token for Access Token”?
(Reference: Log Event Type Codes)
If so, then the Absolute Expiration of the Refresh Token in your Application settings, and the Inactivity timeout and Require log in after in your tenant settings are responsible for keeping the user logged in without interaction.
Because of this, I recommend checking these settings and selecting an expiration value that fits your needs.
Reference Materials:
Please let me know if you have any questions.
Thanks,
Rueben