For Android and iOS apps, authentication works in one of two ways:
Note that the JS SDK and basic web support only authentication via authorization codes.
In your app's dashboard, there is a switch labeled Enable Client Access Token Flow. When that switch is ON, your client application can (after a successful login) directly receive a long-lived access token, which it is then responsible for securely passing to your server to be used in API calls.
When the Enable Client Access Token Flow switch is OFF, your client application will (after a successful login) receive a short-lived authorization code, which it is then responsible for securely passing to your server. Your server may then use the code to retrieve an access token, which may be subsequently used for API calls. This flow is offered as threat mitigation for cases where an attacker might attempt to impersonate your client application, or otherwise intercept the long-lived API access token. It is up to you whether your threat model and the value of your data warrant the extra steps necessary to enable this flow. It is also the developer's responsibility to ensure an appropriate level of security between the client app and their own servers.
An access token returned from the SDK allows you to verify the authenticity of a user's identity on the server side when processing requests for your application.
Account Kit access tokens are not compatible with the auto backup feature introduced in Android 6.0, Marshmallow, because the backed up access token may no longer be valid. When your app used such an invalid token, it doesn't receive Facebook data in return. To prevent this problem, exclude the access token from the data that is automatically backed up.
To do this, create an resource XML file in your project,for example,
res/xml/backup_config.xml, with the following context.
<?xml version="1.0" encoding="utf-8"?> <full-backup-content> <exclude domain="sharedpref" path="com.facebook.accountkit.AccessTokenManager.SharedPreferences.xml"/> </full-backup-content>
Then reference the resource file in the `application' tag in your manifest.
<application ... android:fullBackupContent="@xml/backup_config">
An authorization code returned from the SDK is intended to be passed to your server, which exchanges it for an access token.
It's a good practice to include the access token with every server request to your application and to verify the user ID from the token and not directly from the client. This helps protect your application from unauthorized uses.
Learn more about how access tokens and authorization codes are used with the Account Kit API, see the "Access Tokens" section of Using the Graph API.