auth0 · frederikprijck · Sep 25, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
@@ -98,3 +98,13 @@ new Auth0Client({
   useCookiesForTransaction: true
 });
 ```
+
+## Why is isAuthenticated returning true when there are no tokens available to call an API?
+As long as the SDK has an id token, you are considered authenticated, because it knows who you are. It might be that there isn't a valid access token and you are unable to call an API, the SDK still knows who you are because of the id token.
+
+Authentication is about who u are (id token), not what you can do (access token). The latter is authorization, which is also why you pass the access token to the API in the Authorization header.
+
+So even when the refresh token fails, or `getTokenSilently` returning nothing, that doesn't impact the existence of the id token, and as a consequence of that, the authentication state. So it's expected for isAuthenticated to stay true in that case.
+
+On top of that, the SDK can have multiple access tokens and multiple refresh tokens (e.g. when using multiple audience and scope combinations to call multiple API's), but only one id token.
+If there are multiple access and refresh tokens, and one of the refresh tokens fails, it doesnt mean the other access tokens or refresh tokens are invalid and they might still be perfectly usable.