it could be that you had a valid session cookie (for your
developer account) we were able to fullfill the request without
extra authentication parameter.
For sure we do make sure that you are authenticated (and the
account owner) for the session request, but I don't really care if
the authentication comes from a token or a cookie.
BTW, we don't rely entirely on cookies for authentication
because depending on browser and operating system they have erratic
behaviour in Flash (i.e. cookies are not shared between HTTP
requests and FileReference upload/download) so we use
authentication token (passed on every request ):) that is the only
way that works everywhere.