Thanks @guhyeon this solved my issue.
The auth:false key-value pair in the config object of the /api/token/refresh route allows requests to bypass the authentication middleware. Without it, the server will check for a valid JWT token, which would be expired, resulting in a 403 forbidden error. Without this key-value pair, it is impossible to make a request to this route as the default behavior of the server is to use the authentication middleware for all routes, resulting in an unauthorized access.