So if you delete the sAccessToken from the browser, and make an API request to a route that requires a session, that will fail with a 401, the SDK will try and call the refresh API which will return 404. Since you don’t have supertokens.middleware