Refresh Tokens

Auth0 issues an access token or an ID token in response to an authentication request. You can use access tokens to make authenticated calls to a secured API, while the ID token contains user profile attributes represented in the form of claims. Both are JSON web tokens (JWTs) and therefore have expiration dates indicated using the exp claim, as well as security measures, like signatures. Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires.

An OAuth Refresh Token is a credential artifact that OAuth can use to get a new access token without user interaction. This allows the Authorization Server to shorten the access token lifetime for security purposes without involving the user when the access token expires. You can request new access tokens until the refresh token is on the DenyList.

It is important to keep the number of refresh tokens within a reasonable manageable limit to make sure that it’s easy to maintain those credentials safely and securely. Applications must store refresh tokens securely because they essentially allow a user to remain authenticated forever.

You can increase security by using refresh token rotation which issues a new refresh token and invalidates the predecessor token with each request made to Auth0 for a new access token. Rotating the refresh token reduces the risk of a compromised refresh token.

Auth0 limits the amount of active refresh tokens to 200 tokens per user per application. This limit only applies to active tokens. If the limit is reached and a new refresh token is created, the system revokes and deletes the oldest token for that user and application. Revoked tokens and expired tokens do not count against the limit. To review our recommendations and best practices to avoid excess tokens, read Token Best Practices.

The refresh token behavior is applicable to OIDC-conformant applications. You can configure an application to be OIDC-conformant in one of the following ways:

1. Enabling the OIDC Conformant flag for an app.

2. Passing an audience claim to the /authorize endpoint of the Authentication API.

Auth0 SDKs support refresh tokens including:

• Node.js

• ASP.NET Core

• PHP

• Java

For a complete listing, see Quickstarts.

Providing secure authentication in SPAs has a number of challenges based on your application’s use case. New browser privacy controls like Intelligent Tracking Prevention (ITP) adversely impact the user experience in SPAs by preventing access to third-party cookies.

Auth0 recommends using refresh token rotation which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.

For native applications, refresh tokens improve the authentication experience significantly. The user has to authenticate only once, through the web authentication process. Subsequent re-authentication can take place without user interaction, using the refresh token.

For information on using refresh tokens with our mobile SDKs, see:

• Mobile/Native Quickstarts

• Lock Android: Refresh JWT Tokens

• Lock iOS: Save and Renew JWT Tokens

• Get Refresh Tokens
• Use Refresh Tokens
• Revoke Refresh Tokens
• Refresh Token Rotation
• Configure Refresh Token Expiration
• Token Best Practices