Why send JWTs two different ways?

[sbweeden]

The current explainer says that when a session is being established, the JWT which contains the signed challenge is sent as the POST body data to the /path+"/startsession" endpoint. When the session is being refreshed however, despite there being a separate URL /path+"/refresh" used, the JWT signing the challenge is depicted as being sent in a header Sec-Session-Response.

It seems odd to have two different approaches for sending the JWT. Why not use either POST body, or a header, in both use cases?