Is it normal for the user to have to authenticate every 30 days? Shouldn’t the refresh token be used to keep the user always logged in?