Auth0 Home Blog Docs

Where should refresh token happen , client or api server?

refresh-tokens
#1

Hey there, I’ve implemented all I need so far with auth0 except for refresh tokens and have a a bit of trouble understanding the flow. I have my own api that does all the calls to auth0 and would be consumed from a mobile app. Should the process and storing of refresh tokens happen on the client (mobile) side, or on my server side?
Thanks in advanced.

#2

Hello,
That is up to you where do you want to store them. But taking in consideration the security of the token, best place would be to store it in you API where you are the only one with access, then using the refresh token.
Maybe this post can help https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/