Once a user has successfully authenticated to Access Manager, the user object uses browser cookies or URL query parameters to carry a Session ID from one application to the next. Each time the user requests access to a protected application, the new application must verify the user's identity. For example, a user successfully authenticates to the application at http://orgA.company.com/Store, and then later tries to access http://orgA.company.com/UpdateInfo, a service that is SSO-enabled. The UpdateInfo application does not ask for the user to present credentials. Instead, the application uses the Session APIs and the user session to determine if the user is already authenticated. If the Session methods determine that the user has already been authenticated and that the session is still valid, then the UpdateInfo application allows the user access to its data and operations. If the user is not already authenticated, or if the session is no longer valid, then the UpdateInfo application prompts the user to present credentials a second time. The SSO APIs can also be used to create or destroy a SSOToken, or to listen for SSOToken events.