This article was written in collaboration with Luigi Coniglio, lead engineer on this project.
Meta is excited to announce that it is partnering with GitHub as part of its Secret Scanning Program to protect people against misuse of Facebook access tokens.
GitHub is used by millions of developers all around the world to store and manage their code. By participating in the Secret Scanning Program, Meta will work with GitHub to mitigate risks associated with exposed access tokens, which are used to identify a user, app, or page. Access tokens contain sensitive information and should be kept confidential at all times, as stated in our Platform Terms. Publicly accessible access tokens risk being used for unauthorized access to an app and potentially API data.
When new code is added to a public repository, GitHub will scan it for Facebook access tokens; if detected, GitHub will send that information to Meta. Access tokens with a valid session will be automatically invalidated. When an access token is invalidated, the app admin will be notified via the Developer Dashboard.
Our partnership with GitHub is part of our ongoing effort to protect user data and the security of our platform. Learn more about our access tokens in our Developer Docs.