An error is logged for fertft events during a refresh token exchange. The error message is:

Token could not be decoded or is missing in DB

• fertft events
• Refresh Token Exchange

The error occurs because the Refresh Token (RT) is no longer valid or available in the database. Common reasons for this include:

• Reused: The RT was part of a token family invalidated due to reuse. An application attempting to reuse a rotating RT causes the invalidation of the entire RT family, which may log an error such as Reused rotating refresh token detected, revoked the family. The database then deletes the token. Subsequent use of this RT triggers this error.

• Revoked: The RT was explicitly revoked. This action renders the RT invalid or causes it to be removed from the database.

• Expired: The RT reached its configured expiration lifetime. Expired tokens are invalid.
• Pruned: The system pruned the RT. This typically occurs when the 200 limit on active RTs per user per application is met, causing the removal of older tokens.

These conditions can also be caused by a race condition where the token refresh function (for example, auth0.credentialsManager.getCredentials) is called multiple times in quick succession from the application.

The appropriate action depends on the cause of the RT issue:

• If the RT was reused: Modify the application logic to ensure RTs are not reused after they have been exchanged. Verify that multiple calls are not made from the refresh function. Token requests must be gated so that only one refresh operation can be "in-flight" at a time. The auth0-spa-js Software Development Kit (SDK) uses promise-utils.js for this purpose.

• If the RT expired or was revoked: The user must sign in again to the application to obtain a new RT.

• If the RT was pruned: Adjust the frequency of forced re-authentication in the application that generates numerous RTs. Reducing a high re-authentication rate can prevent the premature pruning of older RTs used by other applications.