also, you must have cookies set against the API domain, otheriwse refresh would not return 200. It would return 401.