[kerbs]

It meant the client was expected to then make a request to refresh their session token.

Because of the middle layer sending a 403 instead of the API, clients would request refresh tokens in an infinite loop.