You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: EXAMPLES.md
+130-1Lines changed: 130 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -923,6 +923,76 @@ export default withApiAuthRequired(async function handler(
923
923
By setting `{ refresh: true }`, you instruct the SDK to bypass the standard expiration check and request a new access token from the identity provider using the refresh token (if available and valid). The new token set (including the potentially updated access token, refresh token, and expiration time) will be saved back into the session automatically.
924
924
This will in turn, update the `access_token`, `id_token` and `expires_at` fields of `tokenset` in the session.
925
925
926
+
### Optimizing Token Refresh in Middleware
927
+
928
+
When using `getAccessToken()` in middleware for Backend-for-Frontend (BFF) patterns or to ensure fresh tokens for Server Components, avoid calling it on every request. Instead, implement time-based refresh logic to only refresh when the token is nearing expiration.
929
+
930
+
> [!NOTE]
931
+
> This pattern is designed for **centralized token management** in middleware. For **per-request latency mitigation** (e.g., checking token expiry immediately before a critical API call), see [Mitigating Token Expiration Race Conditions](#mitigating-token-expiration-race-conditions-in-latency-sensitive-operations).
932
+
933
+
#### Why This Matters
934
+
Calling `getAccessToken()` on every request can:
935
+
- Increase latency by 50-200ms per request
936
+
- Generate unnecessary load on Auth0's token endpoint
> Server Components cannot persist token updates. Always refresh tokens in middleware (where cookies can be set) rather than in Server Components to ensure refreshed tokens are saved to the session.
995
+
926
996
### Multi-Resource Refresh Tokens (MRRT)
927
997
928
998
Multi-Resource Refresh Tokens allow using a single refresh token to obtain access tokens for multiple audiences, simplifying token management in applications that interact with multiple backend services.
For applications where an API call might be made very close to the token's expiration time, network latency can cause the token to expire before the API receives it. To prevent this race condition, you can implement a strategy to refresh the token proactively when it's within a certain buffer period of its expiration.
1065
1135
1136
+
> [!NOTE]
1137
+
> This pattern is designed for **per-request latency mitigation** immediately before critical API calls. For **centralized token management** in middleware that benefits all Server Components, see [Optimizing Token Refresh in Middleware](#optimizing-token-refresh-in-middleware).
1138
+
1066
1139
The general approach is as follows:
1067
1140
1068
1141
1. Before making a sensitive API call, get the session and check the `expiresAt` timestamp from the `tokenSet`.
1069
-
2. Determine if the token is within your desired buffer period (e.g., 30-90 seconds) of expiring.
1142
+
2. Determine if the token is within your desired buffer period of expiring.
1070
1143
3. If it is, force a token refresh by calling `auth0.getAccessToken({ refresh: true })`.
1071
1144
4. Use the newly acquired access token for your API call.
1072
1145
1146
+
**Example Implementation:**
1147
+
1148
+
```typescript
1149
+
// app/api/critical-operation/route.ts
1150
+
import { auth0 } from"@/lib/auth0";
1151
+
import { NextResponse } from"next/server";
1152
+
1153
+
// Define your latency buffer (in seconds before expiry)
0 commit comments