Hi, that’s right, to trigger a successful authentication the gateway expects a session object and a token value in the metadata dict.
If no session object is specified HTTP 403 will be returned. To override the response you may use the ReturnOverrides field, this is part of the request object, see here.