Disclaimer: I work for Sendbird

If the user in question has ever been issued an accessToken or sessionToken, they will always need one moving forward in order to authenticate regardless of the security settings your application is configured for. I noticed you also posted on our community. I'll respond there as well incase there is follow up.

Also as a note, our JS V3 SDK has long been deprecated and it's highly recommend you move to our V4 version.