The initial AUTH packet can only be sent by the client to re-authenticate. There are use cases for a server-initiated AUTH packet.

An example would be if login credentials are revoked on the broker side (e.g. due to administrative interventions). There is currently no way to force the client to re-send the AUTH packet. A server side AUTH challenge may help in such cases, so the client has a chance to provide valid credentials in case the original secrets are not valid anymore.

Another use case would be OAUTH 2.0. The JWT as Access Token may expire and the broker can notify the client that a new token is required.