What's the token expiration for Universal Login?

How often would someone need to re-enter the credentials?
Is this expiration also valid for social logins?

I can see that the universal login is based on lock, as it loads the lock script:
<script src="https://cdn.auth0.com/js/lock/11.27/lock.min.js"></script>

So I guess that the renewal limitations of Lock (not using a refresh token) also apply here.

The Auth0 session lifetime settings are under the advanced settings your tenant. You have the option to set an inactivity timeout and a hard timeout.

ID token lifetime is set within the configuration of each app / client. You can always get a new ID token as long as the Auth0 session is still valid.

Access token lifetime is set within the configuration of each API and of course you can continue to get new access tokens for as long as you have a valid refresh token.

Thank you for your response.

Seems like the usage of refresh token is the key to extend the access.

However, it seems that the universal login screen is based on the auth-lock package, and this package does not support refresh tokens. As such not clear to me how to get such extended access using the universal login?

You can use a refresh token to request new access tokens and / or ID tokens. You don’t need to do anything with Universal Login. Just call the token endpoint with the refresh token.

Thank you for your response.

In order to use this endpoint, I need to provide a refresh token.
When logging in using the auth-lock package, there is no refresh token. The returned refresh token is always null. So I don’t see how I can use this endpoint.

See references for missing refresh token here:

If your use case is a single-page app, you should start here:

Note that you don’t need a refresh token to keep the user logged in. You can silently re-authenticate the user for as long as their Auth0 session is active. If you are going to use a refresh token with a single-page app, follow the guidance in the documentation above. If you don’t follow that guidance, you risk exposing refresh tokens to an attacker. I believe you need to be using the auth code flow or auth code flow with PKCE to get a refresh token in an SPA.


Thank you for your help. I can see that I’m following the Code Flow in my app, including a POST request to https://.auth0.com/co/authenticate.

Once the login ticket is received, it then doing a GET request to /authorize specifying client id, state, etc - alongside with the login ticket received from the previous step. This call does not return anything, but sets a server side cookie. The auth0-lock package that I’m using is handling this request and is retuning me back a json with an accessToken and a refreshToken field. However, the refresh token field is always null.

Can I make my own call to the /TOKEN endpoint to get a new refresh token, while only having an access token on hand?

You need to request a refresh token when you call the auth endpoint. Can you post your code? What does your call to the auth endpoint look like?