Access Tokens
When someone connects with an app using Facebook Login, the app will be able to obtain an access token which provides temporary, secure access to Facebook APIs.
An access token is an opaque string that identifies a user, app, or Page and can be used by the app to make graph API calls. Access tokens are obtained via a number of methods, each of which are covered later in this ********. The token includes information about when the token will expire and which app generated the token. Because of privacy checks, the majority of API calls on Facebook need to include an access token. There are different types of access tokens to support different use cases:
# - Generating Access Tokens - #
# User Access Tokens0 #
Although each platform generates access tokens through different APIs, all platforms follow the basic strategy to get a user token:
Different platforms have different methods to kick off this process and include functionality to manage access tokens on behalf of the developer and the person granting permissions:
Javascript
The Facebook SDK for Javascript obtains and persists user access tokens automatically in browser cookies. You can retrieve the user access token by making a call to FB.getAuthResponse which will include an accessToken property within the response.
Android
The Facebook SDKs for Android automatically manages user access tokens through the class com.facebook.AccessToken. You can learn more about obtinaing a user access token by implementing Facebook Login for Android. You can retrieve the user access token by inspecting Session.getCurrentAccessToken.
iOS
The Facebook SDKs for iOS automatically manages user access tokens through the class FBSDKAccessToken. You can learn more about obtinaing a user access token by implementing Facebook Login for iOS. You can retrieve the access token by inspecting FBSDKAccessToken.currentAccessToken.
Web (without JavaScript)
When building an app with on the web without Facebook's SDK for Javascript you will need to generate an access token during the steps outlined in that ********.
Code Samples
Android
Short-Term Tokens and Long-Term Tokens
User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.
Access tokens generated via web login are short-lived tokens, but you can convert them to long-lived tokens by making a server-side API call along with your app secret.
Mobile apps that use Facebook's iOS and Android SDKs get long-lived tokens by default.
Apps with Standard access to Facebook's Marketing API when using long-lived tokens will receive long-lived tokens that don't have an expiry time. These tokens are still subject to invalidation for other reasons, but won't expire solely based on time. This is also true of access tokens for System Users in Business Manager.
Tokens are Portable
One important aspect to understand about access token is that they are portable. Once you have an access token you can use it to make calls from a mobile client, a web browser, or from your server to Facebook's servers. If a token is obtained on a client, you can ship that token down to your server and use it in server-to-server calls. If a token is obtained via a server call, you can also ship that token up to a client and then make the calls from the client.
Moving tokens between your client and server must be done securely over HTTPS to ensure the security of people's accounts.
App Access Tokens
Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.
There is another method to make calls to the Graph API that doesn't require using a generated app access token. You can just pass your app id and app secret as the access_token parameter when you make a call:
https://graph.facebook.com/endpoint?key=value&access_token=app_id|app_secret
The choice to use a generated access token vs. this method depends on where you hide your app secret.
Page Access Tokens
Page access tokens are used in Graph API calls to manage Facebook Pages. To generate a page access token, an admin of the page must grant an extended permission called manage_pages. Once this permission has been granted, you can retrieve the page access token using the following Graph API request:
This can be requested with a user access token with the required permissions. This will return a list of pages that person admins with some additional info (such as the page category and the permissions the admin has for that page) as well as the page access token:
You can use this type of token to make API calls on behalf of a Page. For example, you could post a status update to a Page (rather than on the user's timeline) or read Page Insights data.
Page access tokens are unique to each Page, admin and app.
Page admins have different roles, which is indicated by the perms array returned as above. The functionality available to them is decided based on the following perms values:
For more information on Page roles, see Pages, Page Roles.
Source: https://developers.facebook.com/
Source: https://developers.facebook.com/docs/facebook-login/access-tokens
Source: https://developers.facebook.com/docs/facebook-login/overview
Source: https://developers.facebook.com/docs/facebook-login/best-practices
Source: https://developers.facebook.com/products/sharing/overview
When someone connects with an app using Facebook Login, the app will be able to obtain an access token which provides temporary, secure access to Facebook APIs.
An access token is an opaque string that identifies a user, app, or Page and can be used by the app to make graph API calls. Access tokens are obtained via a number of methods, each of which are covered later in this ********. The token includes information about when the token will expire and which app generated the token. Because of privacy checks, the majority of API calls on Facebook need to include an access token. There are different types of access tokens to support different use cases:
# - Generating Access Tokens - #
Kod:
- User Access Tokens
Kod:
- App Access Tokens
Kod:
- Page Access Tokens# User Access Tokens0 #
Although each platform generates access tokens through different APIs, all platforms follow the basic strategy to get a user token:
Different platforms have different methods to kick off this process and include functionality to manage access tokens on behalf of the developer and the person granting permissions:
Javascript
The Facebook SDK for Javascript obtains and persists user access tokens automatically in browser cookies. You can retrieve the user access token by making a call to FB.getAuthResponse which will include an accessToken property within the response.
Android
The Facebook SDKs for Android automatically manages user access tokens through the class com.facebook.AccessToken. You can learn more about obtinaing a user access token by implementing Facebook Login for Android. You can retrieve the user access token by inspecting Session.getCurrentAccessToken.
iOS
The Facebook SDKs for iOS automatically manages user access tokens through the class FBSDKAccessToken. You can learn more about obtinaing a user access token by implementing Facebook Login for iOS. You can retrieve the access token by inspecting FBSDKAccessToken.currentAccessToken.
Web (without JavaScript)
When building an app with on the web without Facebook's SDK for Javascript you will need to generate an access token during the steps outlined in that ********.
Code Samples
Android
Short-Term Tokens and Long-Term Tokens
User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.
Access tokens generated via web login are short-lived tokens, but you can convert them to long-lived tokens by making a server-side API call along with your app secret.
Mobile apps that use Facebook's iOS and Android SDKs get long-lived tokens by default.
Apps with Standard access to Facebook's Marketing API when using long-lived tokens will receive long-lived tokens that don't have an expiry time. These tokens are still subject to invalidation for other reasons, but won't expire solely based on time. This is also true of access tokens for System Users in Business Manager.
Tokens are Portable
One important aspect to understand about access token is that they are portable. Once you have an access token you can use it to make calls from a mobile client, a web browser, or from your server to Facebook's servers. If a token is obtained on a client, you can ship that token down to your server and use it in server-to-server calls. If a token is obtained via a server call, you can also ship that token up to a client and then make the calls from the client.
Moving tokens between your client and server must be done securely over HTTPS to ensure the security of people's accounts.
App Access Tokens
Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.
There is another method to make calls to the Graph API that doesn't require using a generated app access token. You can just pass your app id and app secret as the access_token parameter when you make a call:
https://graph.facebook.com/endpoint?key=value&access_token=app_id|app_secret
The choice to use a generated access token vs. this method depends on where you hide your app secret.
Page Access Tokens
Page access tokens are used in Graph API calls to manage Facebook Pages. To generate a page access token, an admin of the page must grant an extended permission called manage_pages. Once this permission has been granted, you can retrieve the page access token using the following Graph API request:
Kod:
GET /me/accounts HTTP/1.1
Host: graph.facebook.comThis can be requested with a user access token with the required permissions. This will return a list of pages that person admins with some additional info (such as the page category and the permissions the admin has for that page) as well as the page access token:
Kod:
{
"data": [
{
"category": "Product/service",
"name": "Sample Page",
"access_token": "{access-token}",
"id": "1234567890",
"perms": [
"ADMINISTER",
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
},
}You can use this type of token to make API calls on behalf of a Page. For example, you could post a status update to a Page (rather than on the user's timeline) or read Page Insights data.
Page access tokens are unique to each Page, admin and app.
Page admins have different roles, which is indicated by the perms array returned as above. The functionality available to them is decided based on the following perms values:
For more information on Page roles, see Pages, Page Roles.
Source: https://developers.facebook.com/
Source: https://developers.facebook.com/docs/facebook-login/access-tokens
Source: https://developers.facebook.com/docs/facebook-login/overview
Source: https://developers.facebook.com/docs/facebook-login/best-practices
Source: https://developers.facebook.com/products/sharing/overview
