Troubleshoot Auth0 Token Renewal Issues In Safari With ITP Enabled

Custom Domains
May 26, 2026
Overview

Auth0 token renewal using silent authentication fails in Safari when Intelligent Tracking Prevention (ITP) is enabled. ITP blocks third-party cookies, preventing the browser from silently obtaining a new token. Implementing Refresh Token Rotation or configuring an Auth0 custom domain resolves the issue.

Applies To
  • Auth0
  • Safari Browser
  • Intelligent Tracking Prevention (ITP)
  • Silent Authentication
  • Single Page Applications (SPA)
Cause

Safari enables Intelligent Tracking Prevention (ITP) by default, which blocks third-party cookies. This prevents the Auth0 Single Page Application (SPA) SDK from using hidden iframes to perform silent authentication and obtain new tokens.

Solution

How is the Auth0 token renewal issue resolved when ITP is enabled in Safari?

 

Implement Refresh Token Rotation or configure an Auth0 custom domain to bypass ITP restrictions.

  • Implement Refresh Token Rotation to provide a secure method for using refresh tokens in SPAs without relying on third-party cookies.
  • Configure Auth0 custom domains to operate on a subdomain of the application website domain. For example, if the application is hosted on example.com, the custom domain must use the format subdomain.example.com.

 

 

How is ITP debug mode used in Safari Technology Preview?

 

Use the "Intelligent Tracking Prevention Debug Mode" in Safari Technology Preview to troubleshoot ITP issues by executing the following terminal commands.

NOTE: The WebKit blog post instructions detail how to permanently classify a custom domain as having tracking abilities for testing purposes. In later versions of Safari Technology Preview, the domain to store the User Defaults for this setting changed from com.apple.SafariTechnologyPreview to com.apple.WebKit.Networking. Make sure to restart Safari Technology Preview after each change to settings for the changes to take effect.

  • Classify a site as having tracking abilities: 
    defaults write com.apple.WebKit.Networking ResourceLoadStatisticsManualPrevalentResource example.com
  • Inspect the setting: 
    defaults read com.apple.WebKit.Networking ResourceLoadStatisticsManualPrevalentResource
  • Delete the setting: 
    defaults delete com.apple.WebKit.Networking ResourceLoadStatisticsManualPrevalentResource

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community