Facebook conversion pixel with "server to server" option - facebook

I'm investigating usage of CPA ad types in our application and was reading about pixels for tracking conversions. It states that there are JS/HTML pixels available, but I'm wondering if there is a pixel that could be triggered on server side, (i.e. using file_open from our script). This would be a huge benefit for my app, since it would enable me to lower discrepancy and also allow more flexibility.
Does anyone have an idea?

No, there is no ability to record conversion using a server-to-server method at the moment.

Now you have options for behavior like this. Note: You cannot fire a "piexl" from the server, because pixels are specific to web pages.
Facebook created the Offline Conversions api to allow you to upload conversions that happen outside a website, like users purchasing something in a brick and mortar, or conversions that don't count until you have verified the information yourself (i.e. you must have a human review a user's sign up)

Now the right way to do it is using the Conversions API:
The Conversions API allows advertisers to send web events from their servers directly to Facebook. Server events are linked to a pixel and are processed like browser pixel events.
So it's exactly what you need.
(It's previously called Facebook Server-Side API, by the way.)

Related

Can you optimize toward non-web Facebook Conversions API events?

Facebook has introduced the "action_source" parameter into Conversions API, which for most use cases will be "website" for the value. Are we able to optimize toward conversions we send in this manner for values other than "website"?
For example, let's say that we currently drive people toward a page where we collect their information and then call them over the phone to finalize the order. We could send that final order as a conversions API purchase event with action_source="phone_call" and we'd like to optimize our ads toward the finalized order if possible.
Yes you can optimize toward conversions API events with any action_source except "physical_store" and "app" (as of May 2021). You can see a list of action_source values here:
https://developers.facebook.com/docs/marketing-api/conversions-api/parameters/server-event#action-source
Keep in mind, that if you use "website" as the action_source you will also need to pass client_user_agent and event_source_url to comply with privacy protecting policies.

How do I see in Google Analytics specific Facebook post exactly bringing me traffic?

I would like to see in analytics specific Facebook posts that are bringing traffic to the site. The 'Referrals' doesn't provide this info, but only shows how much traffic came from Facebook.com and m.facebook.com.
You can do this with the help of UTM Parameters.
What Makes Up a UTM Link?
Here’s my link for a test post
www.yourwebsite.com?utm_source=facebook&utm_medium=social&utm_campaign=post_name&utm_content=post_content
Now let’s break this link down, to understand what each metric means, and what it corresponds to in Google Analytics.
First, there is the “utm_source” value, which translates to the “source” dimension in Google Analytics. This is where traffic is coming from. You can name it whatever you want. In this example, my source is “facebook”
Equally as important is the medium, specifically “utm_medium,” which tells me what type of traffic this is. As this is from social media, I have named it social.
Easily the most important part of the link — “utm_campaign” — is the name of what you’re tracking, for example, “Summer Promotion.” Think of this as another way to roll up all the different posts and sources to see higher-level insights.
The next two metrics — “utm_term” and “utm_content” — are both optional and interchangeable. It’s about personal preference and how granular you want to get with your analysis.
If you don't want to build the URLs manually, you can use URL Builder from google.
Make sure you paste the full URL in the URL builder so that it populates the correct URL. Also make sure that you paste the whole URL created by URL builder with all UTM parameters on Facebook.
Hope this helps.

Prevent direct api access from browser

Currently as it stands, if a user reads the source of my web application, they'd be able to determine the direct URIs of all the RESTful services my web application utilizes.
The problem I see is this: My web application knows how to correctly use the API, and I might not have thought of every single validation known to man to prevent bad data from being sent through the API.
And so with that is there a method to prevent "direct" access to the API and limit it only to my web application?
P.S. As an FYI: API calls concerning a user are protected by the presence of a user-specific cookie which is only issued upon login. This means I'm not too afraid of User X being able to directly modify User Y's data through the API.
No.
If the browser is making the request, the user can spoof the request. Period.
My web application knows how to correctly use the API
That's good, but that's leading you down the path of assuming client-side functionality executed as intended. Never make that assumption.
I might not have thought of every single validation known to man to prevent bad data from being sent through the API
This statement leads me to believe that the API itself is more complex than it needs to be. The best thing you can do is simplify. It's difficult to be more specific without seeing specific code, but API requests should be fairly simple and straightforward and the same techniques to prevent malicious code from getting through should be applied universally. The same general rules apply here as in any web application interaction...
Never trust anything that came from the client
Never assume client-side code executed as intended
Never execute input as code, always treat it as a raw value
and so on...
As you mention toward the end, you've already taken care of authentication and authorization for the requests. Given that, if User X is permitted to make a given API call, then what you're essentially asking is, "How do I allow User X to make an API call without allowing User X to make an API call?" The server can't tell the difference. A request is a request.
Sure, there are things you can try, such as always including some custom header in requests made from code. But anybody can inspect that request and spoof that header. The user's browser isn't part of your application and isn't under your control.

How to use the same facebook application for different websites

I'm developing a small CMS in PHP and we're putting on social integration.
The content is changed by a single administrator who as right for publishing news, events and so on...
I'd to add this feature, when the admin publishes something it's already posted on facebook wall. I'm not very familiar with facebook php SDK, and i'm a little bit confused about it.
If (make it an example) 10 different sites are using my CMS, do I have to create 10 different facebook application? (let's assume the 10 websites are all in different domains and servers)
2nd, is there a way for authenticating with just PHP (something like sending username&password directly) so that the user does not need to be logged on facebook?
thanks
You might want to break up your question in to smaller understandable units. Its very difficult to understand what you are driving at.
My understanding of your problem could be minimal, but here goes...
1_ No you do not create 10 different facebook application. Create a single facebook application and make it a service entry point. So that all your cms sites could talk to this one site to interact with facebook. ( A REST service layer).
2_ Facebook api does not support username and password authentication. They only support oauth2.0. Although Oauth is not trivial, but since they have provided library for that, implementing authentication is pretty trivial.
Please read up on http://developers.facebook.com/docs/.
Its really easy and straight forward and well explained.
Your question is so vague and extensive that it cannot be answered well here.
If you experience any specific implementation problems, this is the right place.
However to answer atleast a part of your question:
The most powerful tool when working with facebook applications is the Graph API.
Its principle is very simple. You can do almonst any action on behalf of any user or application. You have to generate a token first that identifies the user and the proper permissions. Those tokens can be made "permanent" so you can do background tasks. Usually they are only active a very short time so you can perform actions while interacting with the user. The process of generating tokens involves the user so that he/she has to confirm the privileges you are asking for.
For websites that publish something automatically you would probably generate a permanent token one time that is active as long as you remove the app in your privacy settings.
Basically yuo can work with any application on any website. There is no limitation. However there are two ways of generating tokens. One involves on an additional request and one is done client side, which is bound to one domain oyu specifiedin your apps settings.
Addendum:
#ArtoAle
you are right about every app beeing assighend to exactly one domain. however once you obtained a valid token it doesnt matter from where or who you use it within the graph api.
let me expalin this a little bit:
it would make no sense since it is you doing the request. there is no such thing as "where the request is coming from". of course there is the "referer" header information, but it can be freely specified and is not used in any context of this.
the domain you enter in your apps settings only restricts where facebook redirects the user to.
why?
this ensures that some bad guy cannot set up a website on any domain and let the user authorize an app and get an access token with YOUR application.
so this setting ensures that the user and the access token are redirected back to YOUR site and not to another bad site.
but there is an alternative. if you use the control flow for desktop applications you don't get an access token right after the user has been redirected back. you get a temporary SESSION-TOKEN that you can EXCCHANGE for an access token. this exchange is done server side over the REST api and requires your application secret. So at this point it is ensured that it is YOU who gets the token.
This method can be done on any domain or in case of desktop applications on no domain at all.
This is a quote from the faceboo docs:
To convert sessions, send a POST
request to
https://graph.facebook.com/oauth/exchange_sessions
with a comma-separated list of
sessions you want to convert:
curl client_id=your_app_id \
-F client_secret=your_app_secret \
-F sessions=2.DbavCpzL6Yc_XGEI0Ip9GA__.3600.1271649600-12345,2.aBdC...
\
https://graph.facebook.com/oauth/exchange_sessions
The response from the request is a
JSON array of OAuth access tokens in
the same order as the sessions given:
[ {
"access_token": "...",
"expires": 1271649600, }, ... ]
However you don't need this method as its a bit more complex. For your use case i would suggest using a central point of authorization.
So you would specify your ONE domain as a redirect url. This domain is than SHARED between your websites. there you can obtain the fully valid access token and seamlessly redirect the user back to your specific project website and pass along the access token.
This way you can use the traditional easy authentication flow that is probably also more future proof.
The fact remains. Once the access token is generated you can perform any action from any domain, there is no difference as ther is literally no "domain" where the request is coming from (see above).
apart from that, if you want some nice javascript features to work - like the comments box or like button, you need to setup up open graph tags correctly.
if you have some implementation problems or as you said "domain errors" please describe them more clearly, include the steps you made and if possible an error message.

Offsite data storage for simple app, or a similar supported persistence mechanism?

Question
Is there a usable facebook entry point to the Data Storage API that facebook lists on their app admin page for developers, or should I consider an alternate mechanism? What alternative mechanisms exist to simply persist my information offsite (away from my server app) without stuffing it into a cookie that's prone to expire?
...
Background
The facebook Data Store Admin tool is made available in a facebook App's Settings as seen here: (continue reading below)
However when I visit the DataStoreAdmin link nothing works (i.e. clicking the buttons to define the data store types and objects does nothing - I have tried different browsers).
The Wiki page for Data Store API hasn't been updated recently and the second last update says the beta Data Store was taken offline.
It seems odd the link would be readily available and highly visible at the top of the App configuration area if indeed it's defunct. I was hoping some kind of key/value pair solution to remove the data calls from my own server.
DataStore API is being deprecated, don't use it! You can see this here. You are advised to store the data yourself on your server.