Account Kit Access Tokens and Authorization Codes for Android and iOS

For Android and iOS apps, authentication works in one of two ways:

Note that the JS SDK and basic web support only authentication via authorization codes.

Access Tokens

In your app's dashboard, there is a switch labeled Enable Client Access Token Flow. When that switch is ON, your client application can (after a successful login) directly receive a long-lived access token, which it is then responsible for securely passing to your server to be used in API calls.

When the Enable Client Access Token Flow switch is OFF, your client application will (after a successful login) receive a short-lived authorization code, which it is then responsible for securely passing to your server. Your server may then use the code to retrieve an access token, which may be subsequently used for API calls. This flow is offered as threat mitigation for cases where an attacker might attempt to impersonate your client application, or otherwise intercept the long-lived API access token. It is up to you whether your threat model and the value of your data warrant the extra steps necessary to enable this flow. It is also the developer's responsibility to ensure an appropriate level of security between the client app and their own servers.

An access token returned from the SDK allows you to verify the authenticity of a user's identity on the server side when processing requests for your application.

  • A successful login creates an Account ID and an associated access token.
  • The access token can be used to access Account Kit REST APIs.
  • You should pass the access token to your application's server to verify the user's identity.

Access Tokens with Android 6.0 Auto-Backup

Account Kit access tokens are not compatible with the auto backup feature introduced in Android 6.0, Marshmallow, because the backed up access token may no longer be valid. When your app used such an invalid token, it doesn't receive Facebook data in return. To prevent this problem, exclude the access token from the data that is automatically backed up.

To do this, create an resource XML file in your project,for example, res/xml/backup_config.xml, with the following context.

<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
    <exclude domain="sharedpref" path="com.facebook.accountkit.AccessTokenManager.SharedPreferences.xml"/>
</full-backup-content>

Then reference the resource file in the `application' tag in your manifest.

<application ...  android:fullBackupContent="@xml/backup_config">

Authorization Code

An authorization code returned from the SDK is intended to be passed to your server, which exchanges it for an access token.

  • A successful login creates an account, and passes back an associated authorization code.
  • The authorization code should be passed to your application's server, which may then use the code to retrieve an access token.
  • Your application's server may then use the access token to verify the user's identity for subsequent API calls.

It's a good practice to include the access token with every server request to your application and to verify the user ID from the token and not directly from the client. This helps protect your application from unauthorized uses.

Learn more about how access tokens and authorization codes are used with the Account Kit API, see the "Access Tokens" section of Using the Graph API.