Server API

Last updated 01/06/2023

Requests that are made from your server side. All require an app secret to call.

x-app-secretYour app secret (user's app_secrets can be found at


GET /apps/{app_id}/authentications/{authentication_token}

Returns the details of a login action. Requires your app secret.


app_id string
Unique identifier for your application. Provided by Bread & Butter.
authentication_token string
The unique identifier to retrieve the response data package. Found in the query string of the redirection url.
Example Java
 "app_id": "6ba4da69b3394e78927758597dc4482b",
 "authentication_token": "5fea650bb109764ea3dc56fc"


app_id string
Unique identifier for your application.
user_id string
Unique identifier for the authenticated user.
auth_success boolean
This confirms that authentication succeeded.
auth_error boolean
The reason the authentication failed.
auth_data object
This object contains the details of the user that authenticated.
[-] Show Child Properties
email_address string
The email address of the user.
first_name string
The first name of the user.
last_name string
The last name of the user.
profile_image_url string
Url to the profile image for the user.
uid string
This is a unique identifier created by the Identity Provider for the user.
data object
This is the raw data returned by the Identity Provider.
oauth_tokens AuthorizationDataTokens
Authorization Data Tokens are used to make API requests on behalf of the user by the OAuth protocol. In order to enable this feature Return Authorization Data must be enabled for your Provider.
provider object
This object contains the data that was returned from the Identity Provider authentication.
[-] Show Child Properties
idp string
Description here…
id string
Description here…
protocol string
Description here…
name string
Description here…
type string
Description here…
options object
This object contains the options configured when the authentication request was initiated.
[-] Show Child Properties
client_data string (optional)
Used to carry state information in your application. This string value (can be JSON) will be passed to the callback at the end of the authentication workflow.
callback_url string (optional)
Url that the BreadButter server should redirect back to after authentication. Must be whitelisted in App configuration.
destination_url string (optional)
Url that the user should be redirected to after the login has been validated. This is used primarily for mobile workflows.
force_reauthentication string (optional)
Indicates whether to force re-authentication for the user. By default this is set to `off`. Pass `attempt` to ask the Provider to prompt for re-authentication but continue if not possible. Pass `force` to have the login action fail if the Provider does not prompt. Supported providers include Microsoft, Okta, Dropbox, OneLogin, Fitbit, and Twitter.
Example Java
 "app_id": "6ba4da69b3394e78927758597dc4482b",
 "user_id": "5fea650bb109764ea3dc56fe",
 "auth_success": true,
 "auth_error": true,
 "auth_data": {
  "email_address": "",
  "first_name": "",
  "last_name": "",
  "profile_image_url": ""
 "provider": {
  "idp": "google",
  "id": null,
  "name": "",
  "type": "social",
  "protocol": "oauth",
 "auth_data": {
  "data": {},
  "uid": "{UID}",
  "oauth_tokens": {
   "access_token": "{access-token}",
   "access_token_expires_in": 3600,
   "refresh_token": "{refresh-token}",
   "can_refresh_token": true,
   "can_revoke_token": false
 "options": {
  "client_data": "{}",
  "callback_url": null,
  "destination_url": null,
  "force_reauthentication": null