These extensions specify how applications can perform server-to-server authentication using a security token service (STS). For example, an email service might use these extensions to authenticate itself when it makes a call to an instant messaging service. Both of these services are server applications. However, in the scope of this protocol, the email service would be the client, and the instant messaging service would be the server. For an example of a server-to-server security token that a client might send to authenticate itself, see section 4.2.