This article explains why using getAccessTokenSilently() in an application may not extend the main Auth0 Single Sign-On (SSO) session idle timer. Users may observe that after a period of inactivity matching the tenant's Inactivity timeout , they are prompted to authenticate again when accessing a second application, even though the first application was successfully refreshing tokens.

• Auth0 Session Management
• Single Sign-On (SSO)
• Auth0 Single Page Application (SPA) SDK
• Refresh Tokens

The behavior occurs because the getAccessTokenSilently() method can operate in two different ways, which dictates whether the Auth0 SSO session idle timer is reset. 

• With Refresh Tokens Enabled (Default): This is the default in modern Auth0 Software Development Kits (SDKs) like auth0-spa-js. The getAccessTokenSilently() method uses a stored Refresh Token to call the /oauth/token endpoint. Calls to this endpoint do not reset the Auth0 SSO session idle timer. This is the recommended method as it does not rely on third-party cookies.
• With Refresh Tokens Disabled (Legacy): When useRefreshTokens is explicitly set to false, the SDK uses a hidden iframe to call the /authorize?prompt=none endpoint. Calls to the /authorize endpoint do reset the Auth0 SSO session idle timer. This method is not recommended as it relies on third-party cookies and will fail in modern browsers that block them.

To ensure users remain signed in across multiple applications for a desired duration (e.g., up to 10 hours) while using the recommended default refresh token behavior, the solution is to adjust the tenant's session lifetime settings. 

The Auth0 SSO session idle timer is reset only by successful calls to the /authorize endpoint, which includes interactive logins or silent authentication (when refresh tokens are disabled). Calls to the /oauth/token endpoint (used by refresh tokens) do not reset the idle timer. General information on sessions is available in the Auth0 Sessions documentation. 

Recommended Solution: Adjust Session Lifetime Settings  This approach aligns with modern browser security practices and accepts that application token refreshes are separate from the central SSO session.

1. Go to the Auth0 Dashboard.

2. Navigate to Tenant Settings > Session Management.

3. Increase the Inactivity timeout from a short value (e.g., 5 minutes) to a duration that reflects a reasonable period of true user inactivity (e.g., 1 hour or 8 hours).

4. Set the Require login after to the maximum desired session duration (e.g., 10 hours).

This configuration ensures a user remains logged in via SSO for the configured inactivity period, regardless of SPA activity, and will be required to log in again only after the maximum duration is met. For more details on these settings, see Configure Session Lifetime Settings. 

Alternative (Not Recommended): Force Silent Authentication It is possible to achieve a 'rolling' session where getAccessTokenSilently()  resets the idle timer, but this is discouraged.

1. Configure the Auth0 SPA SDK by setting useRefreshTokens: false.

2. This forces getAccessTokenSilently() to use the /authorize?prompt=none method, which resets the idle timer.

NOTE: This method relies on third-party cookies and will fail for users on browsers that block them, resulting in a broken user experience and login_required errors.