Since the access token is not sent to this API, there is no way of knowing that if we should allow this API to return a new refresh token or not, based on the access token's expiry. So we make it so that for each call to this API, a new refresh token is generated (which also adds more security).