It's critical for the most recently-issued refresh token to get immediately invalidated when a previously-used refresh token is sent to the authorization server. This prevents any refresh tokens in the same token family from being used to get new access tokens.

This is what happens when your identity platform has 🤖 Automatic Reuse Detection:

The 🚓 Auth0 Authorization Server has been keeping track of all the refresh tokens descending from the original refresh token. That is, it has created a "token family".

The 🚓 Auth0 Authorization Server recognizes that someone is reusing 🔄 Refresh Token 1 and immediately invalidates the refresh token family, including 🔄 Refresh Token 2.

The 🚓 Auth0 Authorization Server returns an Access Denied response to 😈 Malicious User.

🔑 Access Token 2 expires, and 🐱 Legitimate User attempts to use 🔄 Refresh Token 2 to request a new refresh-access token pair.

The 🚓 Auth0 Authorization Server returns an Access Denied response to 🐱 Legitimate User.

The 🚓 Auth0 Authorization Server requires re-authentication to get new access and refresh tokens.