Logon LabsBread and Butter

We’ve made some changes. Logonlabs.com is still here for you to view but, if you want the latest on our product please view the Bread & Butter IO website here:

Access Tokens

Access tokens are what a website or application uses to make API requests on behalf of a user. With LogonLabs, you can configure an OAuth provider so that all login actions will return an Access Token for each user that logs in. Your website or application can then use this Access Token to access specific parts of a user’s data.

Enabling “Return Authorization Data”

For each custom Identity Provider that you create, you will see an Advanced Settings option. If you expand this, you will see the Return Authorization Data option. If you enable this, each user’s Access Token will be returned to your website via Validate Login (See API documentation).

Please note that Return Authorization Data and Access Tokens are currently not supported with the Twitch Identity Provider, and SAML Enterprise Providers.


Scopes are identifiers for additional user resources that your website or application needs access to. Resources can be calendars, inboxes, repos, etc., depending on the Provider.

By default, each custom Provider is configured to request basic Profile and Email address scopes. If your application or website requires additional Scopes, they can be entered under the Scopes section of Advanced Settings for each provider.

When a user logs in, the Identity Provider will present them with the Scopes/Permissions that your website has requested, and will give the user the option to accept or reject access.

For more information on this feature, and what scopes are available for each Provider, please see Scopes.

Refresh and Revoke Tokens

Access Tokens are only valid for a specific period of time. In order to get a new Access Token, or see which Providers support this feature, please see Refresh Tokens. Your application should be configured to use the stored Access Token, and if it receives an authentication error, it can call Refresh Token to get a new Access Token.

In some scenarios, such as when a user unsubscribes, an Access Token may need to be revoked. To revoke an Access Token, or see which Providers support this feature, please see Revoke Tokens.


LogonLabs does not store users Access Tokens. LogonLabs does ensure that the Access Tokens are secure in transit between the Provider and your website or application. In your website or application, please ensure that the Access Token is stored securely and is not accessible to other applications on the same device. As well, please note that the access token can only be used over an HTTPS connection.

Using an Access Token

In order to use an Access Token, please check the Provider’s documentation for the token endpoint.