Refresh Token Rotation: Automatic Reuse Detection Issue in iOS App

Sessions
Sep 10, 2025
Overview

We have been recently facing a production issue related to the behavior of the automatic reuse detection ('ferrt' error logs) when enabling refresh token rotation for our mobile iOS application, even with a high leeway time.

 

Symptoms

  • 'ferrt' events in tenant logs.
Applies To
  • Refresh Token Rotation
  • Automatic Reuse Detection Issue 
  • iOS App
Cause

A few things you can check that could cause this issue are:

  • That you are not calling store yourselves, see: https://github.com/auth0/Auth0.swift/pull/693/files
  • That you are not creating multiple versions of the CredentialsManager, like from a computed property.
  • I’d also suggest checking if you are not calling the renew method from the Auth API client somewhere, separate from the Credentials Manager. 

 

Troubleshooting

Example details from tenat logs:
"details": {
    "familyId": "<REDACTED>",
    "tokenCounter": 4,
    "latestCounter": 6
  }

Things to check: if tokenCounter is not latestCounter - 1. Only the previous token can be reused; if the second-to-last one is exchanged, breach detection will be triggered, no matter how high the leeway time is.

Solution
Please check the Swift SDK version you are using for the iOS App to know if you are using an Auth0.Swift version with a thread-safe Credentials Manager or not (starting from v2.0.0).

Unfortunately, Engineering will only action bug reports, so unless there is a proven issue in the SDK (instead of a bug in your application code) there’s not much we can do. I’d suggest ruling out that possibility first, and then providing a reproducible to the support team or creating a GitHub issue in the SDK repository so we can fix the SDK bug, given the case. For the reproducible, you can modify the Quickstart sample app.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community