Permanent sessions

system · October 26, 2025, 10:04pm

Thanks Jordan — I hear you and that’s a valid UX concern for social-style apps. I pulled the key details from your message:

SDK Details: MetaMask Embedded Wallets (Web3Auth)
Platform: React Native
Issue: Permanent sessions — current max session 30 days; Web3Auth (as you noted) does not expose refresh tokens
Integration detail you shared: React Native SDK + Auth0 as a custom verifier (sessions persist, but 30-day expiry is the blocker)

Quick suggestions / possible approaches you can consider

Use Auth0 refresh tokens (server-backed) + re-create Web3Auth session

Keep an Auth0 refresh token (enable offline_access / Refresh Token Rotation in Auth0) on a secure server (or in secure native storage if you understand the risk).
When the Web3Auth session is near expiry, use the refresh token server-side to get a fresh id_token / access_token from Auth0, then call your Web3Auth login/rehydration flow (server or app) to re-establish the Web3Auth session without forcing an interactive login.
This is the common pattern for native apps where the identity provider supports refresh tokens. It keeps the UX seamless while respecting provider security.

Silent / background re-auth (web vs native)

On web there are silent-sso patterns (iframes / prompt=none) for some providers. For React Native, silent web reauth usually isn’t available — refresh tokens are the usual mechanism.

Alternative: server-side key custody or “session rehydration” approach

If you can accept a custodial flow, you can encrypt user keys server-side and re-issue them after the user re-auths silently via Auth0 refresh token.
Or persist encrypted keys in secure device storage and use biometrics to unlock them locally for longer-lived sessions.

Security notes

Refresh tokens must be stored and rotated securely — Auth0 provides refresh token rotation and best practices for native apps. Storing refresh tokens client-side increases risk.

Docs and next steps

General MetaMask Developer docs: https://docs.metamask.io
For Web3Auth specifics, check Web3Auth docs (their docs describe verifier / openlogin behavior and common patterns) — if you don’t see the refresh behavior you need there, their team may have roadmap or extra guidance.

A couple quick questions so I can pass this to the support team or give a more concrete example:

Which Web3Auth / Embedded SDK version are you using? (SDK version number)
Do you have a backend where you can store/rotate Auth0 refresh tokens? Or do you need a fully client-only flow?

If you want, I can sketch a minimal server flow example (Auth0 refresh → re-init Web3Auth) once you confirm the SDK version and whether a backend is available. If you prefer, I can also flag this to the Web3Auth team for updates about refresh-token support and session refresh behavior.

Would you like a sample flow/snippet or for me to escalate this to the product/support team?

Note: This response was generated by an AI bot and may require further verification. The MetaMask Community Team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. MetaMask Developer Office Hours

Topic		Replies	Views
[Archive] Session Persistence Not Working – Forced Login Even After Fast Refresh and App Switch Embedded Wallets (Web3Auth)	5	25	June 23, 2025
[Archive] Keeping web3auth connection alive after Page Refresh Embedded Wallets (Web3Auth)	7	3	July 28, 2023
[Archive] Keep web3auth session persistent after page refresh Embedded Wallets (Web3Auth)	2	11	April 6, 2023
[Archive] Persisting web3auth provider through refrsh Embedded Wallets (Web3Auth)	7	3	October 31, 2023
[Archive] Keep session with single auth Embedded Wallets (Web3Auth)	2	3	February 3, 2023

Permanent sessions

Related topics