Why does UserSession.find return nil when using user_credentials = single_access_token?

I believe that I've set up everything such that single_access_token
should be sufficient to pull a user's session.

The scenario is:
Bob uses Firefox and creates an account on LoginUI (http://
Instead of using cookies, Bob's single_access_token comes in the
response to the request.
LoginUI submits Bob's single_access_token with every request
(essentially using it as though it were the persistence token).
Bob clicks 'account settings' and changes his password, but the
request fails.

The request fails because the record is not found (presumably it's
trying to find Bob by the persistence token rather than the single
access token.

I've been very thorough in looking through the documentation, but I
must be missing something. What is it that I'm neglecting?

class UsersController < ApplicationController
  def update
    # params[:user_credentials].inspect shows the correct
    user_hash = RegisteredUserSession.find.record
    user = RegisteredUser.find(user_hash)

    respond_to do |format|
      format.json { head :ok }

    def single_access_allowed?

class UserSession < Authlogic::Session::Base
  allow_http_basic_auth = true
  params_key = 'user_credentials'
  single_access_allowed_request_types = :all

class RegisteredUserSession < UserSession

class User < ActiveRecord::Base
  set_table_name "users"
  attr_accessible :display_name, :email, :password

  acts_as_authentic do |c|
    c.require_password_confirmation = false

  class << self
    def public_hash(obj)
        :display_name => obj.display_name,
        :email => obj.email,
        :single_access_token => obj.single_access_token,
        :errors => obj.errors

class RegisteredUser < User
  attr_accessible :display_name, :email, :password

  validates_presence_of :display_name
  validates_length_of :password, :within=>6..254

  acts_as_authentic do |c|
    c.require_password_confirmation = false
    c.change_single_access_token_with_password = true
    c.email_field = 'email'

apologies, I meant to send this to the authlogic list