An app that wants to access a person's data requires permission from that user to do so. The same is true for posting on behalf of a person to their timeline - explicit permission must be granted to the app by a person to do so.
Authentication, privacy and permissions are all reasonably complex topics. This document is not meant to be the final source on how all of those things fit together, but instead talks about how they fit into accessing the Graph API.
Return values for API calls often reflect the permissions you have granted. Data may be missing in the results of a call if you haven't asked for or haven't been granted the right permissions.
In order to make Graph API calls on behalf of a user you need an
access_token. That token is put on the end of a request to an object like so:
access_token is a time-limited opaque string that includes the identify if your app and the person that you're calling on behalf of. It also reflects the permissions that your app has asked for, as well as what the person has actually allowed. (A person can actually reject certain extended permissions.)
access_token can actually reflect more than just a person. It's also possible to post on behalf of a
page or an
app as well. These two types of tokens aren't used in a wide variety of apps, but they are available so you can build page-management applications or access an app's insights data.
There are two resources worth looking at for more information about to get an
For background information, please see the login section of the Graph API getting started guide. This will give you some background into the terms that are used and how they relate to the API.
See the Login conceptual guide and the associated technical guides. These documents cover the tools that Facebook offers via its APIs and SDKs that make it pretty easy to manage the token granting process.
Each Graph API call lists the permissions required to call it. For example, to access the album object, you need the to be granted the
user_photos permission by the person making the call. Each API has its own set of permissions, so you need to look at the reference before assuming one permission will cover all calls.
We also have an overview of the different levels of permission in the Login reference documentation.
Every Graph API call (or REST or Open Graph call) that creates an object can set the privacy on that post with the
privacy paramter. There's a full guide on our privacy parameter document.
We've got a couple of tools available for debugging or genererating tokens. They can be found under the debugging section on our tools page.