The BearerToken/RefreshToken are only populated on the request when the User Authenticates, i.e:
var refreshToken = authClient.Send(new Authenticate
{
provider = "credentials",
UserName = Username,
Password = Password,
}).RefreshToken;
Not just when they’re already authenticated, i.e:
var postAuthRefreshToken = authClient.Send(new Authenticate()).RefreshToken;
Essentially it prevents someone who has managed to capture an authenticated session to continually call /auth whilst they’re authenticated to continually get new Bearer/Refresh tokens. They need to re-authenticate in order to get new Bearer/Refresh tokens.