Online Refresh Tokens is now in Beta

We are excited to announce that our new feature "Online refresh tokens" is now available to all customers in Beta. This powerful new feature is designed to simplify token management and modernize your application architecture, especially for Single Page Applications (SPAs) allowing you to bind refresh tokens to the sessions they originated from, which provides seamless and consistent continuation of a session when cookies are affected by the browser vendor behaviour across different applications.

What's in the Beta

✨ New configuration options

• Configure specific audiences to provide Online refresh tokens - online refresh tokens configuration is now available under the API > settings page

🔒 Applications Integration

• New scope — Request the new online_access scope to receive your online refresh tokens, which will be bound to the session
• Refresh tokens normally — Online refresh tokens will continue your application access while the session exists
• Revoke a session, revoke its refresh tokens — Once the session is revoked, all its online refresh tokens become invalid, too

🚀 Availability

• Since online refresh tokens lifecycle is entirely based on their underlying session, online refresh tokens can be issued only in OIDC flows that generate a valid session and can return refresh tokens
• Following OIDC standards, implicit sessions that do generate a session but shall not return a refresh token, will not provide online refresh tokens either

Documentation Links

Online refresh tokens documentation

Join the beta!

If you're interested in joining the online refresh token beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process