Refresh Tokens

Refresh Tokens

Auth0 issues an access token or an ID token in response to an authentication request. You can use access tokens to make authenticated calls to a secured API, while the ID token contains user profile attributes represented in the form of claims. Both are JSON web tokens (JWTs) and therefore have expiration dates indicated using the exp claim, as well as security measures, like signatures. Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires.

An OAuth Refresh Token is a credential artifact that OAuth can use to get a new access token without user interaction. This allows the Authorization Server to shorten the access token lifetime for security purposes without involving the user when the access token expires. You can request new access tokens until the refresh token is on the DenyList.

It is important to keep the number of refresh tokens within a reasonable manageable limit to make sure that it’s easy to maintain those credentials safely and securely. Applications must store refresh tokens securely because they essentially allow a user to remain authenticated forever.

Offline access

If you want to allow users to get refresh tokens while offline, you can select the Allow Offline Access switch in API Settings.

You can increase security by using refresh token rotation which issues a new refresh token and invalidates the predecessor token with each request made to Auth0 for a new access token. Rotating the refresh token reduces the risk of a compromised refresh token.

Limitations

Auth0 limits the amount of active refresh tokens to 200 tokens per user per application. This limit only applies to active tokens. If the limit is reached and a new refresh token is created, the system revokes and deletes the oldest token for that user and application. Revoked tokens and expired tokens do not count against the limit. To review our recommendations and best practices to avoid excess tokens, read Token Best Practices.

Enable OIDC Flag

The refresh token behavior is applicable to OIDC-conformant applications. You can configure an application to be OIDC-conformant in one of the following ways:

  1. Enabling the OIDC Conformant flag for an app.

  2. Passing an audience claim to the /authorize endpoint of the Authentication API.

SDK support

For web apps

Auth0 SDKs support refresh tokens including:

  • Node.js

  • ASP.NET Core

  • PHP

  • Java

For a complete listing, see Quickstarts.

For single-page apps

Providing secure authentication in SPAs has a number of challenges based on your application’s use case. New browser privacy controls like Intelligent Tracking Prevention (ITP) adversely impact the user experience in SPAs by preventing access to third-party cookies.

Auth0 recommends using refresh token rotation which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.

Auth0’s former guidance was to use the Authorization Code Flow with Proof Key for Code Exchange (PKCE) in conjunction with Silent Authentication in SPAs. This is a more secure solution than the Implicit Flow but not as secure as the Authorization Code Flow with Proof Key for Code Exchange (PKCE) with refresh token rotation.

For native/mobile apps

For native applications, refresh tokens improve the authentication experience significantly. The user has to authenticate only once, through the web authentication process. Subsequent re-authentication can take place without user interaction, using the refresh token.

For information on using refresh tokens with our mobile SDKs, see:

Learn more