Auth0 Error Counts Increase After Disabling Refresh Token Fallback

SDKs
Apr 13, 2026
Overview

Error counts increase after disabling the refresh token fallback because the setting previously masked refresh token failures by silently starting new sessions in iframes. Configure a rotation leeway in the dashboard and implement an error check in the application code to resolve this issue. When the application sets the useRefreshTokensFallback setting to false, the Single Page Application (SPA) Software Development Kit (SDK) stops and throws an error immediately upon a refresh token failure, such as a reuse error, rather than attempting a silent fix via a hidden iframe and session cookie.

Applies To
  • Auth0
  • Single Page Application (SPA) Software Development Kit (SDK)
  • Refresh Token Rotation
  • Local Storage
Cause

The increased visibility of errors occurs because disabling the useRefreshTokensFallback setting removes the mechanism that previously masked refresh token failures by silently starting new sessions in iframes. The underlying failures often result from race conditions when using local storage. If an application makes simultaneous API calls, the SDK attempts to refresh the token multiple times. This causes subsequent requests to use a token that the first successful refresh invalidated.

Solution

What steps resolve refresh token fallback errors?

To resolve these errors and manage token rotation effectively, configure the refresh token rotation leeway in the dashboard to allow old tokens to remain valid briefly, and implement an error check in the application code to trigger a fresh login when login required or invalid grant errors occur.

  1. Configure Refresh Token Rotation by adding a Rotation Leeway in the dashboard. This allows an old token to remain valid for a few seconds to accommodate simultaneous requests.
  2. Implement an error check in the application code to trigger a fresh login if specific errors occur.
  3. Enter similar logic to handle login_required or invalid_grant errors:

if (error.error === 'login_required' || error.error === 'invalid_grant') { 
    await auth0Client.loginWithRedirect(); 
}

Related References

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community