> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.generaltranslation.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Native to Web SSO and Sessions

> Learn about Native to Web SSO and Sessions

<Warning>
  Native to Web SSO is currently available in Early Access. To use this feature, you must have an Enterprise plan. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/?_gl=1*agihqh*_gcl_au*NjM2NjA1MDg4LjE3NTM5ODE4NjY.*_ga*MTgyNDA4MjM2Ny4xNzE1MTAyMjQy*_ga_QKMSDV5369*czE3NTQ0NzQ3NTAkbzM1MyRnMSR0MTc1NDQ3NjU5MCRqNiRsMCRoMA..). To learn more about Auth0's product release cycle, review Product Release Stages.
</Warning>

When a WebView or browser initiates a call to the `/authorize` endpoint, Auth0 determines if there is an active session, and then either reuses the existing session or honors the provided `session_transfer_token`. To avoid session injection risks, Auth0 uses a safe and predefined evaluation to determine if the `session_transfer_token` is valid. To learn more, read [Configure and Implement Native to Web SSO](/docs/fr-CA/fr-ca/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Native to Web SSSO does not change standard Auth0 [Single Sign-On](/docs/fr-CA/fr-ca/authenticate/single-sign-on) authentication.
</Callout>

**Specific Native to Web <Tooltip href="/docs/fr-CA/fr-ca/glossary?term=single-sign-on" tip="Authentification unique (SSO)
Service qui, après qu’un utilisateur se soit connecté à une application, le connecte automatiquement à d’autres applications." cta="Voir le glossaire">SSO</Tooltip> flows can result in the following behaviors:**

1. The user is logged in when a valid `session_transfer_token` is sent and there is no pre-existing Auth0 session.
2. The user is logged in when a valid `session_transfer_token` is sent and a pre-existing Auth0 session is found for the same user.
3. The user is prompted to login when a pre-existing Auth0 session is found and the `session_transfer_token` belongs to a different user. Additionally, the pre-existing Auth0 session is revoked.
4. The user is prompted to log in when a pre-existing Auth0 session is found and the `session_transfer_token` is invalid.

<div id="sessions-and-refresh-token-revocation">
  ## Sessions and refresh token revocation
</div>

A [`session_transfer_token`](/docs/fr-CA/fr-ca/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web#create-and-manage-session-transfer-tokens) is used to initiate a secure session in a WebView or browser to securely authenticate the user without being prompted to login. These web sessions may also issue their own <Tooltip href="/docs/fr-CA/fr-ca/glossary?term=refresh-token" tip="Jeton d’actualisation
Jeton utilisé pour obtenir un jeton d’accès renouvelé sans obliger les utilisateurs à se connecter à nouveau." cta="Voir le glossaire">refresh tokens</Tooltip>.

Native to Web SSO applies a set of revocation rules to ensure consistent and secure behavior when sessions and refresh tokens are revoked:

* When a refresh token is revoked, it also revokes its associated refresh tokens and sessions if `enforce_cascade_revocation` is enabled in the native application.
* When a web session is revoked, it also revokes its associated refresh tokens  if `enforce_online_refresh_tokens`  is enabled in the web application
* Nested Native to Web SSO is not allowed. A web session created using a `session_transfer_token` cannot generate another `session_transfer_token`.
