When using the Single Page Application (SPA) JavaScript (JS) Software Development Kit (SDK) with refresh token support (useRefreshTokens: true), the SDK may fall back to iframe-based silent authentication if the refresh token exchange fails. After the refresh token exchange fails, the SPA JS SDK does not emit an error during getTokenSilently. Instead, it attempts to renew tokens by sending a prompt=none&response_mode=web_message request to Auth0. This behavior can allow a session to be renewed even after the refresh token's absolute time expiry, provided the Auth0 session persists. This article explains how to disable this fallback and rely only on the refresh token exchange.

• Auth0 Single Page Application JavaScript Software Development Kit (version 1.22.0 and later)
• Refresh Tokens

This fallback behavior occurs by design in the SPA JS SDK.

To avoid this fallback, set the useRefreshTokensFallback option to false in the SDK constructor.

auth0 = new Auth0Client({
  // ... other configuration
  useRefreshTokensFallback: false
});

NOTE: This feature is available only in SPA JS SDK versions 1.22.0 and later.