diff --git a/packages/arcgis-rest-auth/src/UserSession.ts b/packages/arcgis-rest-auth/src/UserSession.ts
index cb3d7adc23..f054435058 100644
--- a/packages/arcgis-rest-auth/src/UserSession.ts
+++ b/packages/arcgis-rest-auth/src/UserSession.ts
@@ -529,6 +529,7 @@ export class UserSession implements IAuthenticationManager {
       return new UserSession({
         clientId,
         portal,
+        ssl: response.ssl,
         redirectUri,
         refreshToken: response.refreshToken,
         refreshTokenTTL,
diff --git a/packages/arcgis-rest-auth/src/fetch-token.ts b/packages/arcgis-rest-auth/src/fetch-token.ts
index 37f3807c63..e39fcb1b30 100644
--- a/packages/arcgis-rest-auth/src/fetch-token.ts
+++ b/packages/arcgis-rest-auth/src/fetch-token.ts
@@ -12,16 +12,16 @@ interface IFetchTokenRawResponse {
   access_token: string;
   expires_in: number;
   username: string;
+  ssl: boolean;
   refresh_token?: string;
-  ssl?: boolean;
 }
 
 export interface IFetchTokenResponse {
   token: string;
   expires: Date;
   username: string;
+  ssl: boolean;
   refreshToken?: string;
-  ssl?: boolean;
 }
 
 export function fetchToken(
@@ -40,7 +40,8 @@ export function fetchToken(
       username: response.username,
       expires: new Date(
         Date.now() + (response.expires_in * 60 * 1000 - 60 * 1000)
-      )
+      ),
+      ssl: response.ssl === true
     };
     if (response.refresh_token) {
       r.refreshToken = response.refresh_token;
diff --git a/packages/arcgis-rest-auth/test/UserSession.test.ts b/packages/arcgis-rest-auth/test/UserSession.test.ts
index bd9f4f31c4..5e801f5341 100644
--- a/packages/arcgis-rest-auth/test/UserSession.test.ts
+++ b/packages/arcgis-rest-auth/test/UserSession.test.ts
@@ -861,7 +861,8 @@ describe("UserSession", () => {
         access_token: "token",
         expires_in: 1800,
         refresh_token: "refreshToken",
-        username: "Casey"
+        username: "Casey",
+        ssl: true
       });
 
       UserSession.exchangeAuthorizationCode(
@@ -872,6 +873,11 @@ describe("UserSession", () => {
         "code"
       )
         .then(session => {
+          expect(session.token).toBe("token");
+          expect(session.tokenExpires.getTime()).toBeGreaterThan(Date.now());
+          expect(session.username).toBe("Casey");
+          expect(session.refreshToken).toBe("refreshToken");
+          expect(session.ssl).toBe(true);
           done();
         })
         .catch(e => {
diff --git a/packages/arcgis-rest-auth/test/fetchToken.test.ts b/packages/arcgis-rest-auth/test/fetchToken.test.ts
index 7defc34937..3e0af4d179 100644
--- a/packages/arcgis-rest-auth/test/fetchToken.test.ts
+++ b/packages/arcgis-rest-auth/test/fetchToken.test.ts
@@ -12,7 +12,8 @@ describe("fetchToken()", () => {
   it("should request a token with `client_credentials`, `client_id` and `client_secret`", done => {
     fetchMock.postOnce(TOKEN_URL, {
       access_token: "token",
-      expires_in: 1800
+      expires_in: 1800,
+      ssl: false
     });
 
     fetchToken(TOKEN_URL, {
@@ -33,6 +34,7 @@ describe("fetchToken()", () => {
         expect(options.body).toContain("grant_type=client_credentials");
         expect(response.token).toEqual("token");
         expect(response.expires).toBeGreaterThan(Date.now());
+        expect(response.ssl).toEqual(false);
         done();
       })
       .catch(e => {
@@ -45,7 +47,8 @@ describe("fetchToken()", () => {
       access_token: "token",
       expires_in: 1800,
       refresh_token: "refreshToken",
-      username: "Casey"
+      username: "Casey",
+      ssl: true
     });
 
     fetchToken(TOKEN_URL, {
@@ -74,6 +77,7 @@ describe("fetchToken()", () => {
         expect(response.refreshToken).toEqual("refreshToken");
         expect(response.username).toEqual("Casey");
         expect(response.expires).toBeGreaterThan(Date.now());
+        expect(response.ssl).toEqual(true);
         done();
       })
       .catch(e => {