[[File:PICL-IdPAuth-auth-start.png|IdP Auth Protocol]]
This same authToken is can be used (once) to do one of the following: * /session/create: obtain the "a sessionToken (and keyFetchToken), which enables storage server access* /password/change: obtain an accountResetToken", which allows a client to safely reset the account password.* /account/delete: to delete the entire account
The protocol is designed to enable parallelism between key-stretching and the initial network messages, to reduce the time it takes to connect a browser to the account. In total, the browser requires five messages in four roundtrips (1: /auth/start, 2: /auth/finish, 3: /session/create, 4: /account/keys and /certificate/sign in parallel) before it is ready to talk to the storage server.