Hi @luigiC,
Welcome to the Auth0 Community!
It seems like you were using an expired access token, where the access token possibly had a 1 day token lifetime, to access a secure page.
What you will need to do is check if there user’s session has expired and prompt the user to re-authenticate.
Let me also add that refetch: true is used to return the user profile information based on the existing session information. Hence, why, you are still required to log in again to get access to the protected resource.
Finally, there is a difference in sending an ID or Access token. You will want to send the Access Token since it contains these registered claims regarding the authentication.
Let me know how this goes for you.
Thanks,
Rueben