> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Auth0 Native to Web SSO carries an authenticated session from an iOS or Android app into a browser-based application so users skip a second login.

# Native to Web SSO and Sessions

When a WebView or browser initiates a call to the `/authorize` endpoint, Auth0 determines if there is an active session, and then either reuses the existing session or honors the provided `session_transfer_token`. To avoid session injection risks, Auth0 uses a safe and predefined evaluation to determine if the `session_transfer_token` is valid. To learn more, read [Configure and Implement Native to Web SSO](/docs/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Native to Web SSO does not change standard Auth0 [Single Sign-On](/docs/authenticate/single-sign-on) authentication.
</Callout>

**Specific Native to Web <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=SSO">SSO</Tooltip> flows can result in the following behaviors:**

1. The user is logged in when a valid `session_transfer_token` is sent and there is no pre-existing Auth0 session.
2. The user is logged in when a valid `session_transfer_token` is sent and a pre-existing Auth0 session is found for the same user.
3. The user is prompted to login when a pre-existing Auth0 session is found and the `session_transfer_token` belongs to a different user. Additionally, the pre-existing Auth0 session is revoked.
4. The user is prompted to log in when a pre-existing Auth0 session is found and the `session_transfer_token` is invalid.

## Sessions and refresh token revocation

A [`session_transfer_token`](/docs/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web#create-and-manage-session-transfer-tokens) is used to initiate a secure session in a WebView or browser to securely authenticate the user without being prompted to login. These web sessions may also issue their own <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip>.

Native to Web SSO applies a set of revocation rules to ensure consistent and secure behavior when sessions and refresh tokens are revoked:

* When a refresh token is revoked, it also revokes its associated refresh tokens and sessions if `enforce_cascade_revocation` is enabled in the native application.
* When a web session is revoked, it also revokes its associated refresh tokens  if `enforce_online_refresh_tokens`  is enabled in the web application
* Nested Native to Web SSO is not allowed. A web session created using a `session_transfer_token` cannot generate another `session_transfer_token`.