Publishing with an App Access Token

If your app publishes on behalf of its users and requires an access token with no expiration time for the purpose of publishing, you should use an App Access Token. An App Access Token is signed using your app secret and will not expire; it will be invalidated if you re-key/reset your application secret.

App Access Tokens should only be used when the posting functions are originated directly from your servers in order to keep them private to the app. For example, you should not publish using an App Access Token from within a client such as a native mobile app. Doing that could allow individuals to obtain the App Access Token, which could then allow them to take actions on behalf of your app. Instead, you should have your native mobile app queue actions up with your server and then have your server publish the stories to Facebook using the App Access Token. For this reason, if your 'App Type' in Settings > Advanced is set to 'Native/Desktop', we assume that your client app contains the App Secret or an App Access Token in its binary, and do not allow calls signed with an App Access Token to proceed. The API will behave as though no access token was provided.

App Access Tokens are especially useful when publishing instances of “secure Open Graph actions”, Open Graph actions that should only be published by your app, such as achievements and game scores. In this specific example, a user is prevented from gaming his/her score by publishing fake scores/achievements using a user access token.

Obtaining an App Access Token

To obtain an App Access Token, invoke the following HTTP GET request

GET https://graph.facebook.com/oauth/access_token?
            client_id=YOUR_APP_ID
           &client_secret=YOUR_APP_SECRET
           &grant_type=client_credentials

The API will respond with a query-string formatted string of the form:

    access_token=YOUR_APP_ACCESS_TOKEN

You should parse this string to obtain the value of the access_token parameter, which will be your App Access Token, and store and reuse this token instead of regenerating it. An App Access Token does not expire unless you refresh the application secret through your app settings.

Making API Calls to Publish with an App Access Token

You can use an app access token to make API calls, in the form of POST requests, to publish information on behalf of the user, just as you would with a user access token.

Note that because you are not using a user access token, all calls to publish information on behalf of the user should reference /[USER FB ID] instead of /me.

For example, if the user has provided your app with the publish_actions permission, to publish a status update on behalf of the user using an App Access Token, invoke the following HTTP POST request

curl -X POST \
     -F 'message=Post%20with%20app%20access%20token' \
     -F 'access_token=YOUR_APP_ACCESS_TOKEN' \
     https://graph.facebook.com/4804827/feed

which in turn returns the ID of the status update post if the call is successful

{
  "id": "4804827_871793267189"
}

Note that the app access token is for publishing purposes permitted by the publish_actions permission. You will be unable to retrieve information about the status update post with the given ID using the app access token. Instead, you should use a user access token for such purposes.

If the user has not provided the appropriate permissions to publish on the user’s behalf, you will receive an error message. For example, if the user has not provided the publish_actions permission, the following error will be returned:

{
  "error": {
    "message": "(#200) The user has not granted the application the permission to automatically publish feed stories", 
    "type": "OAuthException", 
    "code": 200
  }
}

Other Capabilities of an App Access Token

While an App Access Token is largely for the purposes of publishing information back to Facebook on behalf of the user, there is a limited set of information that can be retrieved from Facebook using an App Access Token.

• Basic Profile Info of a User (ID, Name, Username, Gender)
• A User’s Friends and their IDs
• Permissions granted by the User to your App

Another capability of the App Access Token is to use it to make Graph API calls that manage details of your application, such as modifying parameters of your app, creating and managing test users, and reading your application’s Insights data. For more information on this, please read the following documentation:

• Authenticating as an App