and the API is actually POST /api/auth/session/refersh. IF you navigate via your browser, you are sending a GET request. But even with that, you should still see the refresh token in the cookie