> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how refresh tokens work to allow the application to ask Auth0 to issue a new access token or ID token without having to re-authenticate the user.

# Refresh Tokens

Auth0 issues an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> or an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> in response to an authentication request. You can use access tokens to make authenticated calls to a secured API, while the ID token contains user profile attributes represented in the form of claims. Both are <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=JSON+web+tokens">JSON web tokens</Tooltip> (JWTs) and therefore have expiration dates indicated using the `exp` claim, as well as security measures, like signatures. Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires.

An <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth">OAuth</Tooltip> <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=Refresh+Token">Refresh Token</Tooltip> is a credential artifact that OAuth can use to get a new access token without user interaction. This allows the <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=Authorization+Server">Authorization Server</Tooltip> to shorten the access token lifetime for security purposes without involving the user when the access token expires. You can request new access tokens until the refresh token is on the DenyList.

It is important to keep the number of refresh tokens within a reasonable manageable limit to make sure that it’s easy to maintain those credentials safely and securely. Applications must store refresh tokens securely because they essentially allow a user to remain authenticated forever.

<Card title="Offline access">
  If you want to allow users to get refresh tokens while offline, you can select the **Allow Offline Access** switch in [API Settings](/docs/get-started/apis/api-settings).
</Card>

You can increase security by using [refresh token rotation](/docs/secure/tokens/refresh-tokens/refresh-token-rotation) which issues a new refresh token and invalidates the predecessor token with each request made to Auth0 for a new access token. Rotating the refresh token reduces the risk of a compromised refresh token.

### Limitations

* Auth0 limits the amount of active refresh tokens to 200 tokens per user per application. This limit only applies to active tokens. If the limit is reached and a new refresh token is created, the system revokes and deletes the oldest token for that user and application. Revoked tokens and expired tokens do not count against the limit. To review our recommendations and best practices to avoid excess tokens, read [Token Best Practices](/docs/secure/tokens/token-best-practices).

* After a [refresh token exchange](/docs/secure/tokens/refresh-tokens/use-refresh-tokens), Auth0 does not update the `event.refresh_token.device.last*` properties for non-expiring tokens. To learn about enabling expiring refresh tokens, read [Configure Refresh Token Expiration](/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration).

### Enable OIDC Flag

The refresh token behavior is applicable to OIDC-conformant applications. You can configure an application to be OIDC-conformant in one of the following ways:

1. Enabling the **OIDC Conformant** flag for an app.
2. Passing an `audience` claim to the `/authorize` endpoint of the Authentication API.

## SDK support

### For web apps

Auth0 SDKs support refresh tokens including:

* Node.js
* ASP.NET Core
* PHP
* Java

For a complete listing, see [Quickstarts](/docs/quickstart/webapp).

### For single-page apps

Providing secure authentication in SPAs has a number of challenges based on your application’s use case. New browser privacy controls like Intelligent Tracking Prevention (ITP) adversely impact the user experience in SPAs by preventing access to third-party cookies.

Auth0 recommends using <Tooltip tip="Refresh Token Rotation: Strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token." cta="View Glossary" href="/docs/glossary?term=refresh+token+rotation">refresh token rotation</Tooltip> which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.

### For native/mobile apps

For native applications, refresh tokens improve the authentication experience significantly. The user has to authenticate only once, through the web authentication process. Subsequent re-authentication can take place without user interaction, using the refresh token.

For information on using refresh tokens with our mobile SDKs, see:

* [Mobile/Native Quickstarts](/docs/quickstart/native)
* [Lock Android: Refresh JWT Tokens](/docs/libraries/lock-android/lock-android-refresh-jwt)
* [Lock iOS: Save and Renew JWT Tokens](/docs/libraries/auth0-swift/auth0-swift-save-and-renew-tokens)

## Learn more

* [Get Refresh Tokens](/docs/secure/tokens/refresh-tokens/get-refresh-tokens)
* [Use Refresh Tokens](/docs/secure/tokens/refresh-tokens/use-refresh-tokens)
* [Revoke Refresh Tokens](/docs/secure/tokens/refresh-tokens/revoke-refresh-tokens)
* [Refresh Token Rotation](/docs/secure/tokens/refresh-tokens/refresh-token-rotation)
* [Configure Refresh Token Expiration](/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)