Hi All, To introduce my current setup, I have 3 components: - Website with some static (CMS) and dynamic parts, a couple of Single Page Applications, everything works on domain spa.com. - REST API, which provides any dynamic functionality (user profile) and is hosted on api.comand requires SSO tokens to work. - SSO server is hosted under sso.com domain I'd like to determine in my SPA whether user has an active SSO session. So when I'm logged in but I do not have tokens, I can: - do a redirection dance to get tokens - do not allow user to use registration form I'm using Keycloak JS adapter, which uses iframe mechanism and checks for KEYCLOAK_SESSIONcookie and communicates with host window via some flags: var cookie = getCookie('KEYCLOAK_SESSION');if (cookie) { data.loggedIn = true; data.session = cookie;} The problem is that I can not rely on this cookie to check if user is logged in because the cookie has 30 day expiration date, which is way more than an actual Keycloak session lasts, let's say 15 minutes. This cookie is being set when user gets authenticated and is not refreshed on each token update. I do not understand then it's purpose and the purpose of this flag. I'm also thinking about relying on local storage and keeping refresh & access token there to determine if user is logged in, either by checking timeout or trying to refresh access token. BUT.. this also is not reliable, because user might have already authenticated using some other application. To add more context to the problem... one of my SPA applications is a registration wizard, which uses REST API to register user and receives login_hint in return. This login_hint can be used as a wildcard in SSO redirect to pass the challenge and log in immediately. However, if some other user is already logged in, we get in return session of this other user, not the one that should be logged in because of used login_hint. Kind Regards, Michał Chudy