To my understanding the rate limit for facebook API is about 600 calls per 600 sec, per token & IP. Now I have a website/facebook-app that allows users to browse public nightclub pages and events which does not require the user to be logged in to browse the pages so I use my App token for that. But for the user to be able to use the features on my website/app where their account interacts with the facebook graph, they have to be logged in so I use the user token for that.
So when the user is logged in, there should not be a problem with exceeding the rate limit since each user will have a different user token so each user will have a rate limit of 600 calls per 600 sec. But my concern is that my app will exceed the rate limit when the user is browsing public nightclub pages and events when they are not logged in since there will be only 1 app token and 1 IP adress(my server) being used for mutiple users. If there are mutiple users browsing the public nightclub pages and events at one time then it will be very easy to exceed the rate limit.
I've done some research and found that I can make the API calls from client-side, that way there will be a different IP address(users computer) for each user that is browsing public nightclub pages and events, so then each user will have a rate limit of 600 calls per 600 sec. But then if I make the API calls from client-side, then would my app token and app secret be visible to the user? Would this be a security risk? Can anyone verify if this is correct? Is there any other thing I can do so that the rate limit is not exceeded when users are browsing public nightclub pages and events? Thanks in advance.
When making calls from client side you do not provide the app secret, only the App ID, which the client can see regardless, because they are logged into your app. The Facebook cookie for your app contains your App ID. Each client gets their own token, which they can also see.
I'm not sure what "browsing nightclub pages" means technically, but if you can offload server work to the client using JavaScript, that is preferable. Also, when authenticating a user on your server side, try not to call $facebook->getUser() on every page request because that counts against your API limit. Try to log in clients using JavaScript if possible, if not log them in ONCE with FB server-side then set up your own session to authenticate them with your site from then on. This will cut down immensely on your API calls.
See this question: Structure of a facebook app with minimal api calls
Related
I am having an issue with Facebooks Graph API Rate limiting and saying that the
Application request limit reached
which then prevents other users from making request, even though I have generated User Access Tokens. I know they are user access tokens because when I put them into the Access Token Debugger the Type comes back as User and according to the documentation about user access tokens.
Graph API requests made with a user access token are counted against
that user’s call count.
so it should have nothing to do with any application usage but it still seems to. Nothing should be being done on the "applications" behalf I always want the user as to not block other users in-case one user is more active than others.
The user signs in on a website and a server sends the authentication token to clients who then periodically pulls content (every 15 mins). When the rate limit is reached all users appear to get the rate limit error.
Am I misunderstanding what the docs are saying about the User Tokens? Can you not have rates based on individual users and not an entire application?
I'm working on an app which implements the traditional email / password method along with Facebook login. I am working on a search autocomplete feature so when a user types in, for example, "hou" it will return cities matching that term like "Houston, Texas".
Since not all users will be logged in with Facebook I'll be using the App Access Token to call Facebooks API. This is the endpoint I am getting my data from:
https://graph.facebook.com/v2.7/search?type=adgeolocation&location_types=["city"]&country_code=US&q=hou&access_token=
My question is how does the Rate Limit work on a per user basis if I am using my App Access Token? Since the App Access Token identifies the app how does Facebook manage the 200 calls / hour per user rate?
I am concerned with getting rate limited as it would break my app search feature.
Are there any volume issues regarding the Facebook app secret and how many separate connections (or "applications") I can use the same app id/secret on? For example, I'm creating a SharePoint auto-hosted Facebook application. Auto-hosted means that the server component of my app will be automatically deployed to Azure each SharePoint customer. There is no way (that I know of, obviously anything is hackable to a degree) that a user will be able to get the app id or secret, so I'm not concerned about the security aspect of it, or sharing the secret. However, potentially thousands of individual apps could be using the same app id/secret to connect to Facebook. Is this an issue?
By the way, I'm not necessarily talking about the bandwidth/traffic threshold, I'm more concerned with the number of individual connections using the same id/secret. I realize that the policy states: "If you exceed, or plan to exceed, any of the following thresholds please contact us as you may be subject to additional terms: (>5M MAU) or (>100M API calls per day) or (>50M impressions per day)." This is not my immediate concern.
However, potentially thousands of individual apps could be using the same app id/secret to connect to Facebook. Is this an issue?
yes, absolutely yes.
The App access token is intended for making API calls on behalf of an application, to prove the calls are made on behalf of the app itself - the typical use cases are performing administrative actions like uninstalling the app from a user profile or blocking them, updating app settings, sending notifications to authorised users, reading financial data about the app's payments transactions, etc.
If you're planning on making read calls with an app access token i suspect you're misunderstanding the access model used in Facebook's API - you should be making API calls on behalf of specific Facebook users who've granted your app permission to access and update their data - embedding an app ID and secret in code you're distributing widely is a security issue for your app's users, will quickly hit API rate limits and if the app is shut off will break all instances of your client code immediately.
I strongly recommend you read the login documentation and ensure you're using user access tokens to request user data - https://developers.facebook.com/docs/facebook-login/
I am developing a backoffice server application wich is supposed to email our customers with ads campaign statitistics, where camapaigns are bundled from various providers, one of them being Facebook.
Now the problem is how to download specific ads campaigns from Facebook. Basically what I need is a table for specific campaign with values for impressions and clicks for each day from requested range.
One problem is that the application is background server process, running periodically without user interactions, so I suspect there could be a problem with authentication.
From what I have read so far, I believe I am supposed to
register my application on facebook
apply for Ads API access (?)
use either legacy REST API to get statistics, or perhaps adsstatistics from graph api (but I believe that the format there is not divided for particular days).
How am I supposed to authenticate in this case?
Any suggestion as to what is the right solution here?
(Note: In the past, I was doing similiar for Google, where I have successfully used http://code.google.com/intl/cs/apis/adwords/docs/guides/reporting.html - this is just for reference about what I need to achieve).
See this page for authentication once you have Ads API access:
http://developers.facebook.com/docs/authentication/
In the end you'll need an access_token which is specific to your application and the Facebook account you are accessing.
Here's our process:
Log into Facebook account that contains the ads data
Paste this into that browser's address bar:
https://www.facebook.com/dialog/oauth?client_id={your_application_id}&scope=ads_management,offline_access,read_insights&redirect_uri={your
website}
You should be taken to a page that allows you to
authorize your application for that Facebook account (green
Allow button)
Copy the authorization code that appears after code= in the redirected url
Paste this into that browser's address bar (you may not have a client_secret with your application, if you don't try this without the client_secret):
https://graph.facebook.com/oauth/access_token?client_id={your_application_id}&redirect_uri={your website}&client_secret={your application secret}&code={code you got
from step 4}
You should be taken to a page containing the access_token
I do not think you need to store the Authorization code since the access_token shouldn't expire (if you requested offline_access) unless the log in info is changed for the Facebook Account.
Stats Retrieval
For stats retrieval, I would not use legacy REST API since Facebook will depreciate it. Graph API does allow stats retrieval by day, use:
GET https://graph.facebook.com/stats/{starttime}/{endtime}/stats?ids={campaign_id}&access_token=...
starttime and endtime can be in YYYY-MM-DD HH:MM:SS format or as a unix (epoch?) time
I'm running into "rate limit exceeded" issues on my app. I want to get a feed:
http://twitter.com/status/user_timeline/bbcnews.json
But it tells me that the rate limit is exceeded. I assume this means for all users of the app combined. How would I authenticate my twitter app (which I have set up with twitter) before requesting this feed, or incorporate the authentication in the feed request?
Per twitter's documentation:
"Unauthenticated calls are permitted 150 requests per hour. Unauthenticated calls are measured against the public facing IP of the server or device making the request."
So, for a mobile device, this limit would be at a per device basis, not overall.
If you would like an authenticated call, you will have to let user user go through oauth authentication and store the token on the device for subsequent calls. There are various sample projects on github & the rest of the web that would help you down this road.