Right now, tokens come back as cookies that allow web based applications to continue using the token since cookies get sent with all additional requests; however, when using things like cURL, the only way to use the APIs is to keep sending the user/pass in the Authorization header. "Authorization: Bearer <ACCESS_TOKEN>" to indicate the user is using a token.