Auth0 issues an access token or an ID token in response to an authentication request. You can use access tokens to make authenticated calls to a secured API, while the ID token contains user profile attributes represented in the form of claims. Both are JSON web tokens (JWTs) and therefore have expiration dates indicated using the
exp claim, as well as security measures, like signatures. Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires.
A refresh token is a special kind of token used to obtain a renewed access token. You can request new access tokens until the refresh token is blacklisted. Applications must store refresh tokens securely because they essentially allow a user to remain authenticated forever.
For native applications, refresh tokens improve the authentication experience significantly. The user has to authenticate only once, through the web authentication process. Subsequent re-authentication can take place without user interaction, using the refresh token.
You can increase security by using refresh token rotation which issues a new refresh token and invalidates the predecessor token with each request made to Auth0 for a new access token. Rotating the refresh token reduces the risk of a compromised refresh token.
The refresh token behavior is applicable to OIDC-conformant applications. You can configure an application to be OIDC-conformant in one of the following ways:
Enabling the OIDC Conformant flag for an app.
audienceclaim to the /authorize endpoint of the Authentication API.
For web apps
Auth0 SDKs support refresh tokens including:
For a complete listing, see Quickstarts.
For single-page apps
Providing secure authentication in SPAs has a number of challenges based on your application’s use case. New browser privacy controls like Intelligent Tracking Prevention (ITP) adversely impact the user experience in SPAs by preventing access to third-party cookies.
Auth0 recommends using refresh token rotation which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.
Auth0’s former guidance was to use the Authorization Code Flow with Proof Key for Code Exchange (PKCE) in conjunction with Silent Authentication in SPAs. This is a more secure solution than the Implicit Flow but not as secure as the Authorization Code Flow with Proof Key for Code Exchange (PKCE) with refresh token rotation. If you want a more detailed explanation about the challenges of using the Implicit Flow in SPAs, please read this blog article OAuth2 Implicit Grant and SPA.
For native/mobile apps
For information on using refresh tokens with our mobile SDKs, see: