What is the best practice of confirming the user is still authorized to access my application?

A lot of links point to Session Lifetime Limits but silent authentication flow is only possible on frontend where the browser keeps the auth0 domain cookies. What am I supposed to do on server side? Is the best practice simply to always do it on frontend side? What about confirming it with SSO identity provider, am I able to do it via auth0 API or am I forced to use identity provider API?

It seems that I found a way — I can use a refresh token, however I can’t get a refresh token using a process described here: Get Refresh Tokens I will create a separate topic about that issue.