- "/user" gets valid access token -> "/api/user" gets valid access token and it works. - "/user" gets no access token -> "/api/user" gets no access token -> getSession function throws TRY_REFRESH_TOKEN or UNAUTHORISED error -> "/user" gets session expired status code from "/api/user". At this point, we need to somehow call refresh token API. - since the refresh token is not sent to "/user", (it's stored in the frontend), "/user" API should return some html/js that will call the refresh token API (this call will be made on the frontend. See https://supertokens.github.io/supertokens-website/docs/fetch/non-spa). - if that call on the frontend succeeds, then it should call the "/user" API again, everything will work (since you have a new access token). If this call fails with session expiry, then the session has expired and the user must login again