Last updated 07/13/2021
Access tokens are what a website or application uses to make API requests on behalf of a user. With Bread & Butter, you can configure an OAuth provider so that all login actions will return an Access Token for each user that logs in. Your website or application can then use this Access Token to access specific parts of a user’s data.
For each custom Identity Provider that you create, you will see an Advanced Settings option. If you expand this, you will see the Return Authorization Data option. If you enable this, each user’s Access Token will be returned to your website via Validate Login (See API documentation).
Please note that Return Authorization Data and Access Tokens are currently not supported with the Twitch Identity Provider, and SAML Enterprise Providers.
Scopes are identifiers for additional user resources that your website or application needs access to. Resources can be calendars, inboxes, repos, etc., depending on the Provider.
By default, each custom Provider is configured to request basic Profile and Email address scopes. If your application or website requires additional Scopes, they can be entered under the Scopes section of Advanced Settings for each provider.
When a user logs in, the Identity Provider will present them with the Scopes/Permissions that your website has requested, and will give the user the option to accept or reject access.
For more information on this feature, and what scopes are available for each Provider, please see Scopes.
Bread & Butter does not store users Access Tokens. Bread & Butter does ensure that the Access Tokens are secure in transit between the Provider and your website or application. In your website or application, please ensure that the Access Token is stored securely and is not accessible to other applications on the same device. As well, please note that the access token can only be used over an HTTPS connection.
In order to use an Access Token, please check the Provider’s documentation for the token endpoint.
Add authentication & API event tracking to your website/app with a script tag & configuration