It sends a new auth each time it gets a non-auth response (like event or request) as per the spec.. so then clients usually send back multiple responses .. 🤦‍♂️ afaik that's the norm..