> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to use Refresh Token rotation for you received during authorization.

# Use Refresh Token Rotation

To use <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+token">refresh token</Tooltip> rotation, you will use the Auth0 Single Page App SDK. The Auth0 SPA SDK handles token storage, session management, and other details for you.

## Prerequisite

[Configure refresh token rotation](/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation) to enable offline access and request the offline access scope in the client SDK.

## Enable useRefreshTokens

In compliance with the OAuth2 specifications, when a browser requests a refresh token from the /<Tooltip tip="Token Endpoint: Endpoint on the Authorization Server that is used to programmatically request tokens." cta="View Glossary" href="/docs/glossary?term=token+endpoint">token endpoint</Tooltip>, Auth0 will only return a refresh token if <Tooltip tip="Token Endpoint: Endpoint on the Authorization Server that is used to programmatically request tokens." cta="View Glossary" href="/docs/glossary?term=Refresh+Token+Rotation">Refresh Token Rotation</Tooltip> is enabled for that client.

Use the option `useRefreshTokens` on `createAuth0Client` which defaults to `false`. With this option set to `false`, when `getTokenSilently()` is invoked and a new <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip> is required, the SDK attempts to acquire a new Access Token using a hidden iframe and `prompt=none`.

If you set to this option to `true`, the `offline_access` scope is automatically requested when using `loginWithRedirect(), loginWithPopup()` and `getTokenSilently()`. When `getTokenSilently()` is invoked and the Access Token has expired, the SDK attempts to renew the ID and Access Tokens by calling the `/token` endpoint using the `refresh_token` grant type along with the Refresh Token from the cache.

Silent re-authentication is achieved by sending a `prompt=none` parameter upon the authentication request and using a hidden iframe, provided that there is an active user session on the <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=authorization+server">authorization server</Tooltip>. The SDK uses the iframe method if you have set `useRefreshTokens` to `true` but no Refresh Token is available in the cache. This helps users to silently migrate to using Refresh Tokens without making them log in again.

If the exchange fails because `useRefreshTokens` is `true` but there isn't a Refresh Token in the cache, then it falls back to the iframe method (which could also fail if third-party cookies are blocked).

## Token storage

With SPAs, ID and Access Tokens are obtained from the authorization server and typically cached in memory. Token renewal (due to refreshing the browser, memory cache eviction budgets, or expiration) is handled by the SDK.

## Example

The following example shows how to configure the SDK to use both local storage and refresh tokens:

```javascript lines theme={null}
const auth0 = await createAuth0Client({
    domain: '<your Auth0 domain>',
    client_id: '<your Auth0 client ID>',
    cacheLocation: 'localstorage',
    useRefreshTokens: true
    });
    
    // Logging-in will automatically request the offline_access scope
    // and store the resulting refresh token
    auth0.loginWithRedirect();
    
    // Silently refreshing the access token will use the /token endpoint
    // with ‘refresh_token’ grant and the refresh token from the cache
    await auth0.getTokenSilently();
```

## Learn more

* [Configure Refresh Token Rotation](/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation)
* [Disable Refresh Token Rotation](/docs/secure/tokens/refresh-tokens/disable-refresh-token-rotation)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)