SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

I've asked this question before but it might be good to have some more clarity:
If I authenticate user in supertokens (login), or register, the req.headers have sAccessToken, sRefreshToken, sIdRefreshToken.

Therefore these all exist with every request made by user. So is it not dangerous to allow the sRefreshToken and sIdRefreshToken to be sent with every request?