How to use refresh token's "but will expire if not used every"

I try to use this config “but will expire if not used every”, such that user will get signed out automatically after a certain period of inactivity. That is my understanding, but I don’t see user get signed out automatically after 10 minutes inactivity.

And the code to initialise OktaAuth, from “@okta/okta-auth-js”: “~7.2.0”

const authClient = new OktaAuth({
  clientId: "clientId",
  issuer: `.../oauth2/default`,
  redirectUri: `${window.location.origin}/login/callback`,
  postLogoutRedirectUri: `${window.location.origin}/login`,
  tokenManager: {
    storage: {
      getItem: (key: string) => {
        return localStorage.getItem(key);
      setItem: (key: string, val: string) => {
        return localStorage.setItem(key, val);
    autoRenew: true,
    expireEarlySeconds: 30, 
    syncStorage: true,
  scopes: ["openid", "email", "profile", "groups", "phone", "offline_access"],
  cookies: {
    secure: true,
    sameSite: "None",
  pkce: true,


I saw this post Keep getting automatically signed out, but still I cannot figure it out how to use “but will expire if not used every”.



It looks like autoRenew is set to true.
I assume when you run your application if you open the dev tools in the browser and watch the Network tab, when idle you will see a /token call every 5 minutes?
When auth-js runs as a service it will continue update tokens in the background.

Can you verify if you see the /token call happen every 5 minutes?

Also note the SDK does not have any feature to logout of your application. So once the token manager no longer has a set of valid tokens then either calling isAuthenticated() will return false (this behavior can be overridden with your own logic), or visiting a protected link will fail.

The default auth-js behavior for the token manager can be customized with the below.

1 Like

Hi Erik,

Thank you for the feedback!

Yes, autoRenew is true, and the intention is to renew token every 5 minutes. Also I’m expecting the refreshToken becomes invalid after 10 minutes inacitvity, which is my understandig of “but will expire if not used every”. Am I wrong here?

And yes, there’re POST request call to “/token” every 5 minutes.

I called authClient.isAuthenticated() multi times during the period of 25 minutes, while maintained inactivity as I didn’t trigger any of authClient.tokenManager.getToken, authClient.tokenManager.getTokenSync, but it always resolves true. I’m expecting it to be false (invalid) after 10 minutes.

Does autoRenew: true suppress “but will expire if not used every” value?