Add meaning of isAuthenticated to FAQ (#1134)

Co-authored-by: Adam Mcgrath <[email protected]>
Co-authored-by: Ewan Harris <[email protected]>

FAQ.md

@@ -135,3 +135,13 @@ If you want to use a CDN bundle together with import maps, you will need to use
   const client = new Auth0Client({ ... });
 </script>
 ```
+
+## Why is isAuthenticated returning true when there are no tokens available to call an API?
+As long as the SDK has an id token, you are considered authenticated, because it knows who you are. It might be that there isn't a valid access token and you are unable to call an API, but the SDK still knows who you are because of the id token.
+
+Authentication is about who you are (id token), not what you can do (access token). The latter is authorization, which is also why you pass the access token to the API in the Authorization header.
+
+So even when the refresh token fails, or `getTokenSilently` returns nothing, that doesn't impact the existence of the id token, and as a consequence of that, the authentication state. So it's expected for isAuthenticated to stay true in that case.
+
+On top of that, the SDK can have multiple access tokens and multiple refresh tokens (e.g. when using multiple audience and scope combinations to call multiple API's), but only one id token.
+If there are multiple access and refresh tokens, and one of the refresh tokens fails, it doesn't mean the other access tokens or refresh tokens are invalid, they might still be perfectly usable.