This article provides information about the parameters surrounding when a user is logged in and is able to stay logged in, including how browser versions and cookies play a role.

Session management can be complex and depend on different factors.

It is important to understand there are three session layers: the actual application session, the Auth0 server-side session, and the possible Identity Provider (IdP) layer session (for example, google social or enterprise connections). 

Review the Session management document about session logout for more details on these concepts. 

If using refresh tokens, these are used to generate new access tokens. Review this as well to look at the configuration that is available. This setting is configured at the application level in the dashboard. This should be reviewed depending on the application.  

• Custom API token lifetime
• Configure Refresh Token Expiration