Refresh Tokens Comes Invalidated when Requested to Authentication API
Sep 10, 2025
Overview
The customer wants to obtain a new Access Token from the Authentication API but the response comes rejected.
Steps to Reproduce
- POST /oauth/token with:
- Client ID
- Client Secret
- Grant type: refresh_token
- Refresh token
Applies To
- Refresh Token
- Invalid Grant
Cause
As Refresh Token (RT) Rotation only allows to use an RT once, it gets invalidated after that and it can't be twice.
Troubleshooting
- Check if Rotation is active for Refresh Tokens
Solution
Explained in details in this title within the documentation:
https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation#automatic-reuse-detection
