with the current implementation, aren't the access token and refresh token sent with every request?