Use the authorization code flow with PKCE (not implicit flow) for SPAs; request offline_access scope to receive a refresh token if the AS supports it for public clients
Implement refresh token rotation: each use of a refresh token should return a new refresh token; discard the old one; configure the AS to invalidate the entire token family if an already-used refresh token is presented (refresh token reuse detection)
For silent renew without refresh tokens, use a hidden iframe pointing to the AS authorization endpoint with prompt=none; parse the authorization response from the iframe's postMessage; handle login_required error by redirecting the user for re-authentication
Store the refresh token in HttpOnly cookies or IndexedDB (not localStorage) to mitigate XSS-based token theft; weigh the CSRF risk of cookie storage against the XSS risk of JS-accessible storage for your threat model
Implement the OIDC session management check via the check_session_iframe (if the AS supports it) to detect cross-tab logout; alternatively subscribe to the Back-Channel Logout endpoint for server-initiated session termination
On access token expiry, use the refresh token to silently obtain a new access token without user interaction; handle invalid_grant (refresh token expired or rotated away) by redirecting to full login
Known gotchas
Many modern AS providers disable refresh tokens for SPAs by default due to token leakage risk; check whether your AS requires specific client settings (e.g. rotate_refresh_tokens and absolute lifetime caps) before relying on refresh tokens in an SPA
The prompt=none silent renew via iframe is blocked by browsers that prevent third-party cookie access (Safari ITP, Chrome CHIPS); if the AS session cookie is same-site, the iframe approach will fail — prefer refresh tokens or BFF patterns in those environments
Refresh token rotation families mean that if a legitimate client and an attacker both hold a copy of the same refresh token, the first to use it will invalidate the other's; this causes unexpected logouts when the legitimate client is slow — tune the family invalidation policy to your risk tolerance
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp