Refresh Token

Exchange a valid (non-expired) JWT for a fresh one with a new expiry.

The client should call this proactively before the token expires (e.g. when less than 1 hour remains) or reactively on any 401 response. If the token is already expired this returns 403 — the user must log in again.