Implement MRRT (#906)

aridibag · web-flow · commit 72a0c44d97ec · 2025-10-06T10:35:43.000+05:30
By submitting a PR to this repository, you agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). Please see the [contributing guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md) for how to create and submit a high-quality PR for this repo. ### Description In this PR, `auth0-spa-js` has been updated to allow `auth0-react` to use [Multi-Resource Refresh Tokens (MRRT)](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token). An example of configuring the Auth0Provider to use MRRT has also been provided. ### Testing - [Configure MRRT](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token). - In your react testing application, add `useMrrt`, `useRefreshTokens` and `useRefreshTokensFallback` to `true`, following the example on `EXAMPLE.MD`. - Get a token for audience 1. - Try to get a token for audience 2 using the refresh token from audience 1. - [x] This change adds test coverage for new/changed/fixed functionality ### Checklist - [x] I have added documentation for new/changed functionality in this PR or in auth0.com/docs - [x] All active GitHub checks for tests, formatting, and security are passing - [x] The correct base branch is being used, if not the default branch
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -9,6 +9,7 @@
 - [Use with Auth0 organizations](#use-with-auth0-organizations)
 - [Protecting a route with a claims check](#protecting-a-route-with-a-claims-check)
 - [Device-bound tokens with DPoP](#device-bound-tokens-with-dpop)
+- [Using Multi Resource Refresh Tokens]()
 
 ## Use with a Class Component
 
@@ -571,3 +572,28 @@ createFetcher({
     })
 });
 ```
+
+## Using Multi-Resource Refresh Tokens
+
+With **Multi-Resource Refresh Tokens** -or simply **MRRT**- now a refresh token from one API, can be used to request a new access token from another different API. Read more about how MRRT works for browser-based applications to help you decide, wether you need or not, to use this functionality.
+
+- [Multi-Resource Refresh Token](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token)
+
+## Enabling MRRT
+
+MRRT is disabled by default. To enable it, set the `useMrrt` option to `true` when invoking the provider. You will need to set `useRefreshTokens` and `useRefreshTokensFallback` to `true` as well For example:
+
+```jsx
+<Auth0Provider
+  domain="YOUR_AUTH0_DOMAIN"
+  clientId="YOUR_AUTH0_CLIENT_ID"
+  useRefreshTokens={true}
+  useRefreshTokensFallback={true}
+  useMrrt={true} // 👈
+  authorizationParams={{ redirect_uri: window.location.origin }}
+>
+```
+
+> [!IMPORTANT]
+> In order MRRT to work, it needs a previous configuration setting the refresh token policies.
+> Visit [configure and implement MRRT.](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token)
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -95,6 +95,6 @@
     "react-dom": "^16.11.0 || ^17 || ^18 || ^19"
   },
   "dependencies": {
-    "@auth0/auth0-spa-js": "^2.4.1"
+    "@auth0/auth0-spa-js": "^2.5.0"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,6 @@`
`95`	`95`	`"react-dom": "^16.11.0 \|\| ^17 \|\| ^18 \|\| ^19"`
`96`	`96`	`},`
`97`	`97`	`"dependencies": {`
`98`		`- "@auth0/auth0-spa-js": "^2.4.1"`
	`98`	`+ "@auth0/auth0-spa-js": "^2.5.0"`
`99`	`99`	`}`
`100`	`100`	`}`