I am having an issue with Facebooks Graph API Rate limiting and saying that the
Application request limit reached
which then prevents other users from making request, even though I have generated User Access Tokens. I know they are user access tokens because when I put them into the Access Token Debugger the Type comes back as User and according to the documentation about user access tokens.
Graph API requests made with a user access token are counted against
that user’s call count.
so it should have nothing to do with any application usage but it still seems to. Nothing should be being done on the "applications" behalf I always want the user as to not block other users in-case one user is more active than others.
The user signs in on a website and a server sends the authentication token to clients who then periodically pulls content (every 15 mins). When the rate limit is reached all users appear to get the rate limit error.
Am I misunderstanding what the docs are saying about the User Tokens? Can you not have rates based on individual users and not an entire application?
Related
I'm working on an app which implements the traditional email / password method along with Facebook login. I am working on a search autocomplete feature so when a user types in, for example, "hou" it will return cities matching that term like "Houston, Texas".
Since not all users will be logged in with Facebook I'll be using the App Access Token to call Facebooks API. This is the endpoint I am getting my data from:
https://graph.facebook.com/v2.7/search?type=adgeolocation&location_types=["city"]&country_code=US&q=hou&access_token=
My question is how does the Rate Limit work on a per user basis if I am using my App Access Token? Since the App Access Token identifies the app how does Facebook manage the 200 calls / hour per user rate?
I am concerned with getting rate limited as it would break my app search feature.
We have an app on facebook for login on our website. I'd like to retrieve open graph data (simple things such as likes, interests, etc) combine it with our own database, to run some analysis to gage customer behavior.
I'm running into some issues with the auth token and it seems like even though the user approved the app, you cannot retroactively pull the customer data. Is this correct, or am I missing something?
To fetch data that occurred in the past (e.g. using a script) then you'll need to make use of long term access tokens. Facebook's documentation gives a great overview on how these work, but in short:
Short term access tokens are usually perfect for actions the user takes while on your website/app.
Long term access tokens are great for providing access to the user's profile when they're not actively logged in to your website/app (the short term access token will have expired & changed)
If you save a permanent access token for the user, you'll be able to pull data for all users retroactively.
To my understanding the rate limit for facebook API is about 600 calls per 600 sec, per token & IP. Now I have a website/facebook-app that allows users to browse public nightclub pages and events which does not require the user to be logged in to browse the pages so I use my App token for that. But for the user to be able to use the features on my website/app where their account interacts with the facebook graph, they have to be logged in so I use the user token for that.
So when the user is logged in, there should not be a problem with exceeding the rate limit since each user will have a different user token so each user will have a rate limit of 600 calls per 600 sec. But my concern is that my app will exceed the rate limit when the user is browsing public nightclub pages and events when they are not logged in since there will be only 1 app token and 1 IP adress(my server) being used for mutiple users. If there are mutiple users browsing the public nightclub pages and events at one time then it will be very easy to exceed the rate limit.
I've done some research and found that I can make the API calls from client-side, that way there will be a different IP address(users computer) for each user that is browsing public nightclub pages and events, so then each user will have a rate limit of 600 calls per 600 sec. But then if I make the API calls from client-side, then would my app token and app secret be visible to the user? Would this be a security risk? Can anyone verify if this is correct? Is there any other thing I can do so that the rate limit is not exceeded when users are browsing public nightclub pages and events? Thanks in advance.
When making calls from client side you do not provide the app secret, only the App ID, which the client can see regardless, because they are logged into your app. The Facebook cookie for your app contains your App ID. Each client gets their own token, which they can also see.
I'm not sure what "browsing nightclub pages" means technically, but if you can offload server work to the client using JavaScript, that is preferable. Also, when authenticating a user on your server side, try not to call $facebook->getUser() on every page request because that counts against your API limit. Try to log in clients using JavaScript if possible, if not log them in ONCE with FB server-side then set up your own session to authenticate them with your site from then on. This will cut down immensely on your API calls.
See this question: Structure of a facebook app with minimal api calls
I am building a Facebook application whose purpose is to gather statistics about Facebook users by querying their profile pages every so often. There is a sign up process where a user consents to the application and is redirected to Facebook to authorize the app. After the app has received the user's permission, it stores the access token with the user's Facebook ID number.
Every so often I want to be able to run a script that loops through all the access tokens in my database and queries the corresponding user's profile page. I am using Facebook's PHP SDK for development and therefore receive long-lived access tokens.
However, I am running into the issue of the 60 day expiration of the access token. I don't know how I can renew these access tokens, since the user does not initiate API calls; my own script does and therefore it has no information about the user being logged in or not when trying to run an API call. Is there any way to renew these access tokens behind the scenes without any information about the user whom I'm trying to query?
This is a common scenario, but one that I don't see a lot of people posting about. Let's say I have a website, example.com, that loads a list of events from a Facebook Page. It would be a bad user experience to ask the user to "allow access" to the website just so they can see a list of events.
So, what I do is generate an access token with offline access permissions via the Graph API Explorer (https://developers.facebook.com/tools/explorer). This gives me an infinite (as long as the user doesn't change their password, etc.) access token. Perfect.
Soon, though, Facebook is deprecating offline_access. Is there going to be any way to continue to show this events feed on my website without requiring a user to allow access (which would refresh the access token)?
No, there will be no more infinite access tokens. You should store the list of events in your database so you don't have to query facebook so often. This way the user doesn't have to allow access to see a list of events that you get from your data store.