if you don't add those, instead of a 401, it will send a 500 which will display an error in the UI. But then when the user tries to call the API again, this time the session verification will fail which will return a 401 to the frontend and all will be as expected.