Should we send the session or access token as a bearer token on each request or does it already do that?