Native to Web SSO is currently available in Early Access. To request this feature, you must have an Enterprise plan. To learn more about Auth0’s product release cycle, review Product Release Stages.
Use Post Login Actions to limit session lifetime
Usepost-login Action triggers to ensure web sessions created through Native to Web SSO are time-boxed appropriately and expire quickly when inactive. 
You can use post-login Actions to detect when a session is initiated through a session_transfer_token and apply shorter idle and absolute timeouts:
Bind session_transfer_token to the device or IP address
To reduce the risk of token replay if a token is leaked, logged, or intercepted, always bind thesession_transfer_tokento the origin environment using enforce_device_binding.
Use secure cookies over query parameters
Send thesession_transfer_token to the web application using a secure, HTTPOnly cookie scoped to your Auth0 domain to prevent accidental logging or sharing of the token via URLs and to reduce the attack surface for token interception. If you need to use a query parameter (for example, for Chrome Custom Tabs) ensure that the URL uses HTTPS and remove the token from the URL after use.
Avoid issuing refresh tokens to web apps unless necessary
Only enableallow_refresh_token for web applications that truly need long-lived tokens. In most cases, short-lived  combined with silent authentication are sufficient and safer in browser contexts.
Enable Allow Refresh Tokens when appropriate to set the refresh tokens as “online”
To avoid orphaned credentials and prevent from lingering after logout, use theallow_refresh_token setting to ensure refresh tokens issued via Native to Web SSO are bound to the session that issued them. If the session is revoked or expires, the refresh token is automatically invalidated.
Enable enforce cascade revocation
To ensure that all web sessions and refresh tokens associated with asession_transfer_token are revoked, enable enforce_cascade_revocation in the native application. This is critical to ensure secure session invalidation across applications.