auth0 · hazel-nut · Apr 16, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
@@ -2075,21 +2075,25 @@
                           "docs/secure/tokens/delegation-tokens",
                           {
                             "group": "Refresh Tokens",
+                            "root": "docs/secure/tokens/refresh-tokens",
                             "pages": [
-                              "docs/secure/tokens/refresh-tokens",
                               "docs/secure/tokens/refresh-tokens/get-refresh-tokens",
                               "docs/secure/tokens/refresh-tokens/use-refresh-tokens",
                               "docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration",
-                              "docs/secure/tokens/refresh-tokens/refresh-token-rotation",
-                              "docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation",
-                              "docs/secure/tokens/refresh-tokens/use-refresh-token-rotation",
-                              "docs/secure/tokens/refresh-tokens/disable-refresh-token-rotation",
                               "docs/secure/tokens/refresh-tokens/revoke-refresh-tokens",
-                              "docs/secure/tokens/refresh-tokens/manage-refresh-tokens-actions",
+                              {
+                                "group": "Refresh Token Rotation",
+                                "root": "docs/secure/tokens/refresh-tokens/refresh-token-rotation",
+                                "pages": [
+                                  "docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation",
+                                  "docs/secure/tokens/refresh-tokens/use-refresh-token-rotation",
+                                  "docs/secure/tokens/refresh-tokens/disable-refresh-token-rotation"
+                                ]
+                              },
                               {
                                 "group": "Refresh Token Metadata",
+                                "root": "docs/secure/tokens/refresh-tokens/refresh-token-metadata",
                                 "pages": [
-                                  "docs/secure/tokens/refresh-tokens/refresh-token-metadata",
                                   "docs/secure/tokens/refresh-tokens/refresh-token-metadata/configure-refresh-token-metadata",
                                   "docs/secure/tokens/refresh-tokens/refresh-token-metadata/use-cases"
                                 ]
@@ -2100,11 +2104,10 @@
                                   "docs/secure/tokens/refresh-tokens/multi-resource-refresh-token",
                                   "docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token"
                                 ]
-                              }
+                              },
+                              "docs/secure/tokens/refresh-tokens/manage-refresh-tokens-actions"
                             ]
                           },
-                          "docs/secure/tokens/revoke-tokens",
-                          "docs/secure/tokens/manage-refresh-tokens-with-auth0-management-api",
                           "docs/secure/tokens/token-best-practices"
                         ]
                       }
@@ -10488,6 +10491,10 @@
     ]
   },
   "redirects": [
+    {
+      "source": "docs/secure/tokens/manage-refresh-tokens-with-auth0-management-api",
+      "destination": "docs/secure/tokens/refresh-tokens/revoke-refresh-tokens"
+    },
     {
       "source": "docs/customize/phone-messages/customize-phone-templates",
       "destination": "docs/customize/phone-messages/phone-templates"
@@ -14300,17 +14307,21 @@
       "source": "/docs/api-auth/tutorials/adoption/delegation",
       "destination": "/docs/secure/tokens/delegation-tokens"
     },
+    {
+      "source": "/docs/secure/tokens/revoke-tokens",
+      "destination": "/docs/secure/tokens"
+    },
     {
       "source": "/docs/security/tokens/revoke-tokens",
-      "destination": "/docs/secure/tokens/revoke-tokens"
+      "destination": "/docs/secure/tokens"
     },
     {
       "source": "/docs/tokens/guides/revoke-tokens",
-      "destination": "/docs/secure/tokens/revoke-tokens"
+      "destination": "/docs/secure/tokens"
     },
     {
       "source": "/docs/tokens/revoke-tokens",
-      "destination": "/docs/secure/tokens/revoke-tokens"
+      "destination": "/docs/secure/tokens"
     },
     {
       "source": "/docs/security/tokens/refresh-tokens/revoke-refresh-tokens",

@@ -1,13 +1,10 @@
 ---
+title: Manage Refresh Tokens with the Management API
 description: Learn how to manage refresh tokens with the Auth0 Management API.
-title: Manage Refresh Tokens with Auth0 Management API
 ---
-Auth0 issues a <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+token">refresh token</Tooltip> as a credential artifact that your application can use to get a new <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> without user interaction. This allows Auth0 to shorten the access token lifetime for security purposes without involving the user when the access token expires.
 
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
-
 The Auth0 Management API refresh token endpoints are currently are available to customers on Enterprise plans. To learn more, read [Pricing](https://auth0.com/pricing).
-
 </Callout>
 
 ## Management API endpoints
@@ -50,8 +47,6 @@ The refresh <Tooltip tip="Token Endpoint: Endpoint on the Authorization Server t
 * Refresh token revocation (`DELETE`) operations run asynchronously, and are eventually consistent.
 * Refresh tokens issued on or after 21-09-2023 (22-02-2024 for tenants in the US-3 region) contain the session ID (`session_id`) property with the appropriate value. Refresh tokens issued before this date contain this property with a `null` value.
 
-To learn more about refresh tokens limitations, read [Refresh Tokens limitations](/docs/secure/tokens/refresh-tokens).
-
 ## Learn more
 
 * [Refresh Tokens](/docs/secure/tokens/refresh-tokens)

@@ -1,7 +1,8 @@
 ---
+title: Manage Refresh Tokens with Actions
 description: Learn about managing Refresh Tokens with Actions
-title: Refresh Tokens with Actions
 ---
+
 Using <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=Refresh+tokens">Refresh tokens</Tooltip> with [Actions](/docs/customize/actions) allows you to configure post-authentication risk detection and response capabilities to protect your applications and users against compromised refresh tokens. You can also dynamically customize the [refresh token expirations](/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration).
 
 To facilitate this, post-login Actions feature two key objects:
@@ -52,13 +53,11 @@ You can use these methods to dynamically customize the refresh token lifetime an
 * Any other dynamic criteria available during execution of the Action
 
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
-
 The `api.refreshToken.setExpiresAt(absolute)` and `api.refreshToken.setIdleExpiresAt(idle)` methods allow to define the expiration of a refresh token, before its issuance, or modify an existing refresh token expiration during a [refresh token exchange](/docs/secure/tokens/refresh-tokens/use-refresh-tokens) flow.
 
 The `api.refreshToken.setExpiresAt(absolute)` and the `api.refreshToken.setIdleExpiresAt(idle)` methods will convert non-expiring refresh tokens to expiring refresh tokens using the defaults [Refresh Token expirations](/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration) settings as maximum values.
 
 The `api.refreshToken.setIdleExpiresAt(idle)` method sets the inactivity timeout for refresh tokens. If the method is not called in every successful exchange, the inactivity timeout will be overwritten using the refresh token lifetime application settings.
-
 </Callout>
 
 ## Limitations
@@ -73,8 +72,6 @@ The `api.refreshToken.setIdleExpiresAt(idle)` method sets the inactivity timeout
 
 - Both `api.refreshToken.setExpiresAt()` and `api.refreshToken.setIdleExpiresAt()` can only shorten their respective lifetimes from the current values. They cannot extend or increase the lifetime. 
 
-To learn more about refresh tokens limitations, read [Refresh Tokens limitations](/docs/secure/tokens/refresh-tokens).
-
 ## Use cases: Revoke a refresh token
 
 You can use [Actions](/docs/customize/actions) to configure risk detections and revoke refresh tokens with the `api.refreshToken.revoke(reason)` method and the event objects.
@@ -97,11 +94,6 @@ exports.onExecutePostLogin = async (event, api) => {
 };
 ```
 
-
-
-
-
-
 In this example, a check occurs at the start of the Action to verify that the `event.authentication.ImpossibleTravel.code` is equal to the `impossible_travel_from_last_login property`. If `true`, the Action calls the `api.refreshToken.revoke()` to:
 
 * Deny the transaction
@@ -129,11 +121,6 @@ exports.onExecutePostLogin = async (event, api) => {
 };
 ```
 
-
-
-
-
-
 In this example, a check occurs at the start of the Action to keep track of the IP addresses with the `event.refresh_token.device.initial_ip` and the `event.request.ip` properties. The Action determines if the transaction IP address has changed. If `true`, the Action calls the `api.refreshToken.revoke()` to:
 
 * Deny the transaction
@@ -177,11 +164,6 @@ exports.onExecutePostLogin = async (event, api) => {
 };
 ```
 
-
-
-
-
-
 In this example, If there is a specific absolute timeout defined for an Organization, the Action sets the refresh token absolute timeout to be equal to:
 
 * Newly issued tokens: `current_time` plus `organization_refresh_token_lifetime`
@@ -211,9 +193,4 @@ exports.onExecutePostLogin = async (event, api) => {
 };
 ```
 
-
-
-
-
-
 In this example, if there is a specific idle timeout defined for the Application and the user is an Admin, the Action sets the refresh token inactivity timeout to be equal to the `current_time` plus the `refresh_token_idle_timeout`. Note that we are changing the timeout for both newly issued tokens and existing ones during refresh token exchange.