When using 4D's REST server, any request requires a session, and thus a valid license. The first REST request will consume a client connection license, and each subsequent REST request will also consume a license, unless the user opens a session via the REST authentication database method. After successful user authentication, a session cookie will be sent in the response header. This session cookie must be included in each subsequent request header to maintain the same user session, or else 4D will create a new session and consume additional licenses.
For most browsers, the session cookie will automatically be included in every subsequent REST request. However, if you are making cross-origin calls, the session cookie may not be automatically included. For example, if you are making cross-origin requests using the Fetch API, the session cookie will not be included, unless you specifically set the credentials property as 'include', like below:
In the example above, a POST request will be sent to 4D server via REST API, along with the user's session cookie. If "credentials: 'include'" was omitted, no cookie would be included, and thus 4D would open a new REST session. This is because the default value for the credentials property is 'same-origin', and thus user credentials are only sent if the URL is on the same origin as the calling script. However, if changed to 'include', the request will include the session cookie, and 4D's REST server will recognize the same user and maintain the same REST session.