Refresh Token Length Issue
I am receiving unexpectedly short refresh tokens (12 characters) from the auth/v1/token endpoint when using the grant_type=password flow. This is preventing session persistence in my native mobile application, as our client-side logic expects refresh tokens to be much longer (e.g., 100+ characters).
I'm using @supabase/supabase-js version 2.39.x on the client side, and I've confirmed that my client-side code is not shortening the token. I've also checked the 'Sign In / Providers' and 'Sessions' configurations in my Supabase project dashboard and haven't found any obvious settings that would cause this.
Can anyone help on potential reasons why the Supabase auth server might be returning a 12-character refresh token? Are there any specific project settings, server-side configurations, or known issues that could lead to this behavior?
4 Replies
A refresh token is 12 characters...
Hi Gary, thanks so much for the response. Fyi im brand new to coding and using bolt.new. My message i posted was what they recommend i asked as they expcect it to be hundreds of characters. Are you able to give me any more info to help me try to solve this? Im trying to get my app to stay logged in even if logged in user closes the app and reopens in. thanks again, really appreciate it.
The refresh token is not expected to be 100's of characters. The access_token (jwt) is.
supabase-js normally will log the user back in because it stores in local storage (or if using SSR a cookie) the access and refresh token pair.
No idea why you are expecting more that 12 or what your issue might be.
If you are trying to solve a staying logged in issue you should probably start a new post with more information on your environment and exact symptoms.
Thanks!