Use this file to discover all available pages before exploring further.
are used to request a new and/or for a user without requiring them to re-authenticate.Typically, you should request a new access token before the previous one expires (to avoid any service interruption), but not every time you call an API, as token exchanges are subject to our Rate Limiting Policy.You may also use a refresh token to request a new ID token for a user, and should do so if you need to refresh the claims within the ID token.
To exchange the refresh token you received during authentication for a new access token, call the Auth0 Authentication API Get token endpoint in the Authentication API.To learn more about the authentication methods available for the Authentication API, read Authentication Methods.
(Optional) Application’s client secret. Only required for confidential applications using the Post token authentication method.
refresh_token
Refresh token to exchange.
The response will include a new access token, its type, its lifetime (in seconds), and the granted scopes. If the scope of the initial token included openid, then a new ID token will be in the response as well.
If Multi-factor Authentication (MFA) is enabled and the refresh token exchange flow fails, you can use the below Action code to bypass the logic:
exports.onExecutePostLogin = async (event, api) => { // This action will allow you to bypass the MFA logic for the refresh token exchange flow. if (event.transaction.protocol === "oauth2-refresh-token") { return; } // Add your MFA logic // For example: api.multifactor.enable("any");};
You can customize the code example when separate logic needs to be executed or bypassed depending on the current flow or protocol.
