Online Refresh Tokens (ORTs) are a type of refresh token designed specifically for browser-based applications, such as single-page applications (SPAs). ORTs can keep track of a user’s session in SPAs when browser privacy features like Intelligent Tracking Prevention (ITP) block access to third-party cookies, making traditional silent authentication unreliable. ORTs are bound to the user’s Auth0 session and can only be used while that session is active, ensuring that when a user logs out all applications using that session are logged out together.Documentation Index
Fetch the complete documentation index at: https://auth0.com/llms.txt
Use this file to discover all available pages before exploring further.
How it works
When you request an ORT:- Your application includes the
online_accessscope in the authorization request. - Auth0 returns an ORT bound to the user’s current session.
- Each time you exchange the ORT for a new access token, Auth0 extends the session’s idle timeout.
- The token remains valid as long as the underlying Auth0 session is active.
Comparison of ORTs versus refresh tokens
| Feature | ORTs | refresh token |
|---|---|---|
| Scope requested | online_access | offline_access |
| Session binding | Bound to Auth0 session | Independent of session |
| Lifetime | Determined by session lifetime | Configured token lifetime |
| Token rotation | Does not rotate | Supports rotation |
| Demonstration of Proof of Possession (DPoP) requirement | Required for public clients (SPA, Native) | Optional (resource server config) |
| Revocation | Revokes the entire session | Revokes only the token |
| Management API | Not visible | Visible via the Management API |
| Session idle timeout | Extended on each exchange | No effect on session |
Key behavioral differences
Session extension: When you exchange an ORT, Auth0 resets the session idle timeout, keeping the user session alive. Auth0 does not extend the session’s absolute lifetime. No rotation: Auth0 does not rotate ORTs. This is because ORTs are stateless and are bound to the session rather than stored individually. DPoP enforcement: For public clients (such as SPAs), Auth0 requires DPoP when using ORTs. Because ORTs operate at the same security level as a session cookie granting access to the user’s authenticated session, they must be protected with the same rigor. DPoP prevents token theft and replay attacks. Stateless: ORTs are bound to a session, so they cannot be seen or managed independently. You cannot see them in the Management API or revoke them individually.Best practices
- Store tokens in memory: Avoid storing ORTs in
localStorageorsessionStorage. Keep them in JavaScript memory for better security. Since ORTs are bound to the Auth0 session, the session cookie will re-establish context on the user’s next visit, allowing your app to request a fresh ORT. - Handle session expiration gracefully: Implement proper error handling for cases when the session has expired. Redirect users to re-authenticate without losing their work.
- Use DPoP for public clients: ORTs require DPoP for public clients. Ensure your implementation generates and uses DPoP proofs correctly.
- Do not rely on token structure: Treat ORTs as opaque strings. Don’t parse or rely on any internal structure—this may change.
- Monitor session lifetime: Be aware of both idle and absolute session timeouts. The absolute timeout cannot be extended via refresh token exchange.
Limitations
Unsupported flows
ORTs are only available for flows that create an interactive browser session. The following flows cannot issue ORTs:| Flow | Reason |
|---|---|
| Device Authorization Flow | Session created in browser, token used on different device |
| Implicit Flow | OAuth spec prohibits refresh tokens in implicit flow |
| Resource Owner Password Grant | No browser session is created |
| Client Credentials Flow | No user or session involved |
| Custom Token Exchange | No session to bind the token to |
online_access scope in any of these flows, the scope is silently ignored and no refresh token is issued.
Scope conflicts
You cannot request bothonline_access and offline_access in the same authorization request. If both scopes are included, Auth0 returns an error:
- Use
online_accessfor browser-based applications that benefit from SSO continuity. - Use
offline_accessfor applications that need tokens to work independently of the browser session.