If a user is accessing a QuickBase application through a web browser, once the call to API_Authenticate has been made successfully, the ticket cookie will be used automatically: there is no need to explicitly supply the ticket value as returned in the XML.
Login to QuickBase is provided through the API_Authenticate call, which returns a ticket and a ticket cookie. Just like a regular QuickBase login through the UI, the ticket by itself does not convey access to any applications. The application owner needs to assign an access role to the user first. (In addition to the ticket, your app needs an app token.)