Obtaining Facebook page access tokens: The 4 step program

More and more businesses are creating Facebook pages to promote their products and services. To keep content fresh, many websites and applications are automatically posting content to their pages.  Anyone who’s played a Facebook game or even used the Facebook app knows of user-access tokens.  They allow an application to post content on behalf of the user. But how do these applications post content on a page, as the page?  That’s where page access tokens come into play.

What are page access tokens?

Page access tokens allow your application to carry out actions on a page as the page itself; not as a regular Facebook user.  If you are a page administrator, you are probably well aware of the feature to change your account context as a page so when you publish posts, create notes, or comment; they appear as if created by the page – not by you.  Page access tokens allow any application to post content as the page.

These tokens allow applications to publish content to a Facebook page automatically, that is, without the intervention of a user by using the Facebook Graph Page API(along with the token). Using a user access token will post content as the Facebook user (not the page) and will also allow anyone with database access to potentially compromise that user’s personal account.  Storing page access tokens mitigates this risk because those tokens can only be used to issue requests on a particular page and not the user’s own personal account.

User access tokens, even long lived ones, expire after some time.  “Long lived” page access tokens do not expire and thus are especially suited for application use.

How to obtain page access tokens?

Obtaining a Facebook access token requires 4 steps that must be followed in order.

  1. Register a Facebook application.
  2. Retrieve a user access token for a Facebook account that has appropriate content editing permissions for your page.
  3. Exchange that short lived token with a long lived token.
  4. Use the long lived token to obtain the page access token.

Integrating into your application?

There are several ways of implementing the 4 steps above.  If your application is a website, you will want a way for administrators (who also access to Facebook accounts that can manage your page) to dynamically generate page access tokens if the existing token were to become invalid.  To start, your application must have access to a Facebook application ID, application secret, and the ID of the page you wish to receive a token for.

1 The OAuth Dialog

First, register a Facebook application and obtain an application Id and secret. Now, within your website, create with a page that can only be accessed by your site’s admins. This page will provide a button to invoke the OAuth Dialog popup which will allow your admins to log into Facebook using your FB app.

The URL for the button should be of the following:

https://www.facebook.com/dialog/oauth?client_id=<APP_ID >&redirect_uri=<REDIRECT_URL >&scope=manage_pages%2Cpublish_stream&state=<STATE>

Where:

  • APP_ID is your application id.
  • REDIRECT_URL is a callback URL that Facebook will issue when authorization is successful
  • STATE is a unique code (generated by you) which Facebook send back to you as a request parameter on the REDIRECT_URL request

What Comes back:

  • CODE is a code generated by Facebook to validate a particular successful OAuth login with a subsequent request for a access token.

2 Obtain User Access Token(Short Lived)

Next is to obtain the short lived user access token using the “code” which was passed to your site as a request parameter on the callback. To do this, invoke a GET request to the following URL:


https://graph.facebook.com/oauth/access_token?client_id=<APP_ID>&client_secret=<APP_SECRET>&code=<CODE>


Where:

  • APP_ID is your application id.
  • APP_SECRET is your application secret
  • The CODE is the value of the code request param on the callback URL in step 1.

What comes back:

  • The JSON response will contain the short lived access token.

3 Obtain User Access Token(Long Lived)

You must exchange this short lived token with a long lived token by invoking a GET request to the following URL:


https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=<APP_ID>&client_secret=<APP_SECRET>&fb_exchange_token=<SHORT_LIVED_TOKEN>

Where:

  • APP_ID is your application id.
  • APP_SECRET is your application secret.
  • SHORT_LIVED_TOKEN is the short lived user access token received in the previous step.

What comes back:

  • The JSON response will contain the long lived access token.

4 OBTAIN PAGE ACCESS TOKEN

Use the long lived token to retrieve a page access token by issuing a final GET request to:


https://graph.facebook.com/me/accounts?access_token=<LONG_LIVED_TOKEN>

Where:

  •   LONG_LIVED_TOKEN is the access token received in step 3.

What comes back:
The JSON response will contain a array of all pages this particular user has permission to manage. Iterate though this list to find the page of interest. The access_token is long lived and thus will not expire and can be stored in your database.  Below is an example response:

{
  "data": [
    {
      "category": "Website",
      "name": "My Test Page",
      "access_token": "CAAChdS...",
      "perms": [
        "ADMINISTER",
        "EDIT_PROFILE",
        "CREATE_CONTENT",
        "MODERATE_CONTENT",
        "CREATE_ADS",
        "BASIC_ADMIN"
      ],
      "id": "999999"
    },
    {...}
}

The following sequence diagram outlines the interaction between your website's admin, your application, and Facebook.

And there you have it.  In 4 easy(ish) steps you can obtain a page access token for your application. With it, you can post or retrieve content, create events, and issue replies as the page itself.  This token is long lived and can be stored safely in your database. It will not expire unless the Facebook user whom you used to obtain the page access token loses permissions on the page. In this case, you will have to obtain a new page access token.

  1. Finally a guide that worked first time, thanks.

    Chris
    Nov 13th, 2013
  2. In the first step, can I just input anything in param? I tried and it does not work.

    my url: ‘https://www.facebook.com/dialog/oauth?client_id=&redirect_uri=https://m.facebook.com/home.php&scope=manage_pages%2Cpublish_stream&state=state’

    Could you please help? I’m very new to this.

    thu
    Jul 24th, 2017

Add a comment

Comment feed
The better to greet you with
No one will ever see this
Your pride and joy
The reason this comment form exists

The crew behind ASOT

We're a team of interactive, software, and business intelligence experts skilled in the design, construction, and management of online enterprise systems.

Visit The Jonah Group site

Get in touch with us