I am wondering if it is possible to obtain an extended access token for facebook pages that do not have a facebook profile set as it's administrator. I see it is possible to create a facebook page without setting a user profile as the admin and having those pages auth with my app.
For pages that do have a facebook profile as it's administrator, I am able to extend the short lived access token when requesting the manage_pages permission. But I'm not if there is no user associated with it.
The documentation describes this process for extending page tokens.
Apps can retrieve a Page access token from Page admin users when they
authenticate with the manage_pages permission. If the user access
token used to retrieve this Page access token is short-lived, the Page
access token will also be short-lived.
To get a longer-lived Page access token, exchange the User access
token for a long-lived one, as above, and then request the Page token.
The resulting Page access token will not have an expiry time at all.
Extending Access Tokens Documentation
I am wondering if it's possible to obtain extended access tokens for pages when there is no admin associated with the page.
All pages must be owned by a user account, either a regular user account or a business account - and both work in the same way as far as the API is concerned, at least for login (business accounts don't have names, a timeline, friends, etc so are obviously not the exact same, but they log in and grant access to apps the same way)
I just tested a few minutes ago using the my app, a business account and the server side oauth flow and received a long expiry (approx 60 day) token correctly when exchanging the business account's code for an access token
I was then able go through the flow again, this time asking for manage_pages permission and was able to use the token to retrieve a non-expiring page access token for a page the account manages using the regular process (a call to /me/accounts or `/?fields=access_token)
Related
Question: Is it possible for application which associated with business manager to obtain ads_management permissions and make server-to-server calls using appId|appSecret as access token.
If yes then what are the correct steps to obtain those permissions for an app?
If no then is there a way to get access token for the user with such permissions which never expires?
Details: As stated in FB documentation, in order to make server-to-server requests without need to obtain and refresh access tokens we may use pair of app Id and app secret in form of appId|appSecret.
Our application now has the following permissions:
- email
- public_profile
- user_friends
In order to make calls to Ads API our application has to have ads_management permissions. Currently we make calls to Ads API through user-level access token and this is not preferable for us as this token requires refreshes which must be done manually using browser interaction (we can't obtain access token programmatically)
You may be confusing App Access Tokens (which allow you to make calls on behalf of the app itself) with permissions (which an individual user grants you to act on their behalf) - you'll always need a user token to update things belonging to a user.
A user, who's an admin of the ad account you want to manage, needs to grant your app ads_management permission - once they've done that, the OAuth flow gives you an access token to make API calls on their behalf, and that token doesn't expire for up to 60 days (after which point they need to come back to your site/app while logged into Facebook for you to get an updated token)
In the context of Business Manager, that user must be someone that has access via Business Manager to the assets (ad acccounts and pages) you want to update via the API
If your app has Standard access to the Ads API, you can also use 'System Users' to make sessionless API calls to update the assets of the business: https://developers.facebook.com/docs/marketing-api/businessmanager/systemuser/v2.2
More info about login here:
https://developers.facebook.com/docs/marketing-api/guides/chapter-1-Setup-and-Authentication
https://developers.facebook.com/docs/facebook-login/access-tokens
I am making a system where users can log in a see stats of Facebook pages I administer.
I don't want the users to have to log in each time they visit the site, and more importantly they will only be able to see the stats for all pages if it was my account that was logged in.
Is it common practise to log in with my account, get an extended access token and store in a database so future users don't need to keep logging in via Facebook to see the stats?
You could make use of the "manage_pages" extended permission. If your application received this permission via an User Access Token, it could call
/me/accounts
with this Access Token and receive the Page Access Tokens for all Pages this User administers. With these you could access the Page insights of the respective Page.
I'm an admin for a Facebook page I want to handle a server side job scheduler which post every specific time into that Page using Facebook Graph API.
I'm using this code to do that job: $facebook->api("/$page_id/feed","post",$args); and it is working fine for me.
But I have a problem related to Page Access Token. I need to have a permanent Page Access Token to work forever not to update the access token every specific time because it will be server side job scheduler, no GUI for it.
Any suggestion about how to get Permanent Page Access token?
Note: I followed the steps in Facebook documentation
but I have 3 wanderings about it :
Shall I have Facebook app to get Long-Lived Page Authentication ??
I don't have that option on my Facebook app advanced setting
"deprecate offline_access" ??
Is the 60 days is the max valid duration which I can give it to Page
Access Token .. can't it become permanent for ever ??
Earlier people could use offline_access permission to obtain a permanent token. But it looks like Facebook is deprecating this particular permission. Instead, you first need to obtain a short-lived token, then exchange it for a long-lived token, which remains valid for 60 days. Same goes for page tokens.
When a user grants an app the manage_pages permission, the app is able
to obtain page access tokens for pages that the user administers by
querying the [User ID]/accounts Graph API endpoint. With the migration
enabled, when using a short-lived user access token to query this
endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access
token using the endpoint and steps explained earlier. By using a
long-lived user access token, querying the [User ID]/accounts endpoint
will now provide page access tokens that do not expire for pages that
a user manages. This will also apply when querying with a non-expiring
user access token obtained through the deprecated offline_access
permission.
https://developers.facebook.com/roadmap/offline-access-removal/
I'm writing code to allow uploading of events from a website to facebook, to do that I require a manage page access token, the procedure I`v found to obtain that is:
First Having added the domain to the app:
Then get a short term access token with:
https://www.facebook.com/dialog/oauth?client_id=[App ID]&redirect_uri=[full website uri]&scope=create_event&response_type=token
Then get a longer lasting access token from:
https://graph.facebook.com/oauth/access_token?client_id=[App ID]&client_secret=[App Secret]&grant_type=fb_exchange_token&fb_exchange_token=[access token given above]
Then get a page specific token from:
https://graph.facebook.com/me/accounts?access_token=[access token given above]
That returns a json encoded array with tokens for each page I manage which I gather lasts for 60 days.
However I don't manage the website I`m coding for, so don't wish to have to repeat this manual procedure every 2 months, can someone give an idea for an automated procedure or to confirm if such is not possible with facebook.
If you are extending the user access token then the page token received will not have an expiry date. So then the user will only have to login once in the entire usage of the app.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
https://developers.facebook.com/roadmap/offline-access-removal/
I have a general Facebook development question. I'm trying to understand how scenario 5 on Facebooks Removal of offline_access page is supposed to work and what that token can be used for.
A little bit about my app. I allow my apps users to schedule/post Facebook posts from a third party system I integrate with. We then pull the likes and comments and feed it back into that system. Right now we are set up to get the 60 day long lived token and that works great but we have to impose a time limit on scheduling. It's not the end of the world but if we can do better we want to explore that option.
Thus we were told about "Scenario 5" which I've posted and linked to below. My questions are:
What does it mean by a page that the user administers?
What are the pros/cons of this method?
Similar to #2 what can this method do or not do that the 60 day access token can't/can do?
Any tips or hurdles to watch out for when implementing this?
Scenario 5: Page Access Tokens
When a user grants an app the manage_pages permission, the app is able to obtain page access tokens for pages that the user administers by querying the [User ID]/accounts Graph API endpoint. With the migration enabled, when using a short-lived user access token to query this endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
http://developers.facebook.com/roadmap/offline-access-removal/
This is referring to the Page access tokens which are used by your app to administer a Facebook Page on behalf of an admin of that page.
These tokens can only access the page itself, or publicly accessible content, you can't use a page access token as a replacement for a user access token.