Group items tagged

token identifies a User, App or Page session and provides information about granted permissions

Types

User Access

generated in the login flow when a

Facebook Pages

use this token to perform API calls

Page Access

used to

user who is the

App Secret or an App Access token should never be included in any code that could be accessed by anyone other than a developer of the app

must grant an extended permission called

use this type of token to make API calls

unique to each page, admin and app

App Access

useful to modify app settings, create and manage test users or read App Insights data

use app tokens to publish or delete content

unique to each app

Security Best Practices

extremely important that an App Secret is not compromised

App Access Tokens should only be used directly from your app's servers in order to provide the best security

error_reason=user_denied

Handling Revoked Permissions to see how best to proceed

Step 6. Exchange the code for an Access Token

exchange it for a User access token that can then be used to make API requests

/oauth/access_token

server-side request to the following OAuth endpoint:

client_secret

code=CODE_GENERATED_BY_FACEBOOK

body of the response

access_token

persist this User access token in your database or in a session variable

must have the same base domain as that specified in the App Domain property of your app's settings

URL of the form https://apps.facebook.com/YOUR_APP_NAMESPACE

scope=user_birthday,read_stream

Step 4. Add Permissions to Login Dialog request

comma-separated list of any of the Permissions available

Step 5. Handle the response from the Login Dialog

Step 5. Handle the response from the Login Dialog

Step 5. Handle the response from the Login Dialog

Step 5. Handle the response from the Login Dialog

YOUR_REDIRECT_URI

Step 3. Redirect the user to the Login Dialog

Login for Server-side Apps

Login for Server-side Apps

Login for Server-side Apps

Login for Server-side Apps

Login for Server-side Apps

Login for Server-side Apps

way to authenticate users in situations where the use of client-side Javascript is not appropriate.

Login for Server-side Apps

received an access token for them and can make API calls on their behalf

Step 5. Handle the response from the Login Dialog

include CSRF protection using the state parameter

if the user has authorized the app, they will be redirected to:

YOUR_REDIRECT_URI

code=CODE_GENERATED_BY_FACEBOOK

redirect_uri as the same URL that redirect the user to the Login Dialog

refreshes and extends each time the user triggers the login flow

Extending

user access tokens

response from this endpoint will include the

exchange this token for a longer-lived one

passing it to the /oauth endpoint from your server

grant_type parameter of fb_exchange_token

/oauth/access_token

grant_type=fb_exchange_token

fb_exchange_token=SHORT_LIVED_ACCESS_TOKEN

by default you'll receive a short-lived token that is only valid for 1-2 hours