Supabase revoking refresh token without any reuse or timeout triggers
auth🟠Swift/Kotlin
Solved🟡javascriptSupabase library version: @supabase/supabase-js@2.56.0 for React Native and raw HTTP requests using the OkHttp client for kotlin (com.squareup.okhttp3:okhttp@4.12.0)
Note: we have http request instead of libraries to keep the kotlin execution lightweight and quick without using much resources when running in the background.
Platform: Mobile (android)
My Android app has 2 parts to it. The main RN part which has the UI and the analysis dashboard and a Native Android part which is available to be run even when the RN app isn’t active or running to enable data collection. This has resulted in a rather complex authentication system which needs to juggle authentication for both parts.
Users are getting a refresh token issued by Supabase and then revoked within ~80mins when the app triggers a refresh request: Supabase reverts “refresh_token_already_used” and rejects the token.
The logs don’t show any other token being issued or rejected, infact Supabse Auth Logs no other request was even triggered within the timeframe.
- Token A was minuted at 2025-12-08 16:26:49Z
- First refresh was attempted with Token A at 2025-12-08 17:40:03Z
- Supabase answers refresh_token_already_used + “Possible abuse attempt: 3593”.
Supabase Auth logs do NOT show any authentication event from any source between 2025-12-08 16:26:49Z & 2025-12-08 17:40:03Z.
I’m on the Supabase free version for now and I’m not able to figure out why Supabase is revoking the refresh token even though it nor it’s parent has been used or changed in anyway (Supabase Auth logs don’t show any revocation)
Can someone please help me and point me in the right direction?
Note: we have http request instead of libraries to keep the kotlin execution lightweight and quick without using much resources when running in the background.
Platform: Mobile (android)
My Android app has 2 parts to it. The main RN part which has the UI and the analysis dashboard and a Native Android part which is available to be run even when the RN app isn’t active or running to enable data collection. This has resulted in a rather complex authentication system which needs to juggle authentication for both parts.
Users are getting a refresh token issued by Supabase and then revoked within ~80mins when the app triggers a refresh request: Supabase reverts “refresh_token_already_used” and rejects the token.
The logs don’t show any other token being issued or rejected, infact Supabse Auth Logs no other request was even triggered within the timeframe.
- Token A was minuted at 2025-12-08 16:26:49Z
- First refresh was attempted with Token A at 2025-12-08 17:40:03Z
- Supabase answers refresh_token_already_used + “Possible abuse attempt: 3593”.
Supabase Auth logs do NOT show any authentication event from any source between 2025-12-08 16:26:49Z & 2025-12-08 17:40:03Z.
I’m on the Supabase free version for now and I’m not able to figure out why Supabase is revoking the refresh token even though it nor it’s parent has been used or changed in anyway (Supabase Auth logs don’t show any revocation)
Can someone please help me and point me in the right direction?
