The SPA’s session with APIs is represented by an encrypted HTTP-only cookie referencing the access token. The access token typically expires every 15 minutes or so. The SPA must initiate token refresh when this occurs, using a refresh token stored in another secure cookie. The SPA can do the refresh before expiry on a background timer if required. Eventually the refresh token will expire, and the SPA must redirect the user to re-authenticate. The Curity SPA code example shows how to do this: github.com/curityio/spa-using-token-handler/blob/main/spa/src/api/apiClient.ts#L29