Facebook Login for Business

Facebook Login for Business is the preferred authentication and authorization solution for Tech Providers building integrations with Meta’s business tools to create marketing, messaging, and selling solutions.

Benefits

Compared to Facebook Login, Facebook Login for Business allows you to specify the access token type, types of assets, and permissions your app needs, and save it as a set (configuration). You can then present the set to your business clients who can complete the flow and grant your app access to their business assets. It allows you to choose between different access tokens based on your apps’ needs.

Most of the apps that can access user data must go through Ongoing Review. Additionally, apps using Facebook Login for Business have reduced requirements for certain ongoing compliance reviews because they are limited to accessing business permissions and features.

Supported Permissions

You may request the following permissions from your business clients. Note that unlike Facebook Login, Facebook Login for Business requires your business client to grant all of the permissions that you specify in your configuration.

The email and public_profile permissions are automatically granted to all apps. However, they must be used with at least one other supported permission for each app installation.

The public_profile permission is automatically granted to all apps however it will not be returned in the scope parameter unless at least one other supported permission, excluding email, is granted by an app user.

Available PermissionsUser access tokensBusiness Integration System User access tokens
ads_management

ads_read

business_management

catalog_management

commerce_account_manage_orders

commerce_account_read_orders

commerce_account_read_reports

commerce_account_read_settings

commerce_manage_accounts

email*

N/A

instagram_basic

instagram_content_publish

instagram_manage_comments

instagram_manage_insights

instagram_manage_messages

instagram_shopping_tag_products

leads_retrieval

manage_fundraisers

pages_manage_cta

page_events

pages_manage_ads

pages_manage_engagement

pages_manage_instant_articles

pages_manage_metadata

pages_manage_posts

pages_messaging

pages_read_engagement

pages_read_user_content

pages_show_list

private_computation_access

public_profile *

N/A

publish_video

read_insights

read_audience_network_insights

whatsapp_business_management

whatsapp_business_messaging

Available Features

  • Ads Management Standard Access
  • Business Asset User Profile Access
  • Human Agent
  • Instagram Public Content Access
  • Live Video API
  • Page Mentions
  • Page Public Content Access
  • Page Public Metadata Access

Supported Access Tokens

You can use Facebook Login for Business to get either Business Integration System User access tokens or User access tokens.

User Access Tokens

User access tokens should be used if your app takes actions in real time, based on input from the user. For example, use a User access token if your app requires a user to input text and click a button in order to post content to their Page. User access tokens should also be used if you require an API that requires admin permissions on a Business Portfolio.

Business Integration System User Access Tokens

Business Integration System User access tokens should be used if your app performs programmatic, automated actions on your business clients' assets without having to rely on input from an app user, or require re-authentication at a future date. For example:

  • Hourly, automated server-to-server conversion API calls
  • Sending automated responses as a Page or WhatsApp Business Account
  • Continuous, automated updates to product catalog inventories
  • Automated retrieval of ads insights

To get Business Integration User access tokens from your business clients:

  • Your app cannot request logins from mobile surfaces (i.e Android, iOS, etc.)
  • Businesses onboarding to your app must have, or be willing to create, a Business portfolio
  • Your app must be associated with a Business portfolio, which you have full control. This needs to be separate from the Business portfolio owned by your business client.

To test the Business Integration System User access token flow, the tester must have a role on the app and full control of the client business.

Business Integration System UserRegular System User

Access

Can be accessed by the Tech Providers only.

Can only be accessed by the business users within the same business.

Representation

Part of the Tech Provider integration's infrastructure, initialized by client business through Tech Provider’s App installation.

Represents servers or software making API calls to assets owned or managed by a Business Manager.

Token Invalidation

Access tokens cannot be invalidated via the System User tab in the Business Manager. Instead, business clients must go to Business Manager > Business Settings > Integrations > Connected Apps tab and click Remove app to uninstall the app, which will invalidate the tokens.

Not applicable.

Granular Business Integration System User Access Tokens

If you need different access setups for different purposes or departments, you can use multiple granular Business Integration System User access tokens per client business to improve the scalability and security of your integrations.

Granular access tokens are still specific to a client business portfolio. They are not shareable and accessible across different client businesses. Their scope and asset list are a subset of the original Business Integration System User access token.

To isolate potential security incidents in the event of a compromised token, only that specific client business will be impacted, instead of impacting all Business Portfolios across all client businesses.

Business Integration System User Access Token Management API

When a client business installs an app through Facebook Login for Business and generates a Business Integration System User access token, the token includes a client business ID. This ID represents the client business and is used by your app to make API calls.

The /<CLIENT_BUSINESS_ID>/system_user_access_tokens endpoint allows you to manage your existing Business Integration System User access tokens. Actions include:

  • Generate granular Business Integration System User access tokens from the existing Business Integration System User access tokens
  • Fetch any existing Business Integration System User access tokens
Parameters
ObjectDescription

access_token string

Required. This access token requires the business_management permission

appsecret_proof string

Required. The appsecret_proof is a sha256 hash of your access token ensuring API calls are from a server are more secure.

asset int

Optional. When you want to generate a more granular token, you can set a list of asset IDs, separated by commas. The list of assets will have to be a subset of assets from the original access token.

fetch_only bool

Optional. The flag you want to use to fetch the existing token and indicate this operation is read only

scope bool

Optional. When you want to generate a more granular token, you can set a list of scope ids, separated by a comma. The list of assets will have to be a subset of scopes from the original access token.

set_token_expires_in_60_days bool

Optional. When you generate a new token, set to true so that the token expires in 60 days.

system_user_id int

Optional. The ID for the system user included in the access token.

Sample Request

Formatted for readability.

curl -i -X POST "https://graph.facebook.com/v20.0/<CLIENT_BUSINESS_ID>/system_user_access_tokens
    ?appsecret_proof=<APPSECRET_PROOF_HASH>
    &access_token=<ACCESS_TOKEN>
    &system_user_id=<SYSTEM_USER_ID>
    &fetch_only=true"

On success your app receives a JSON response with a new access token to be used in subsequent API calls.

{
  "access_token": "<NEW_ACCESS_TOKEN>" 
}

Comparison

Business Integration System User access tokensUser access tokens

Access Designations

Access is explicitly delegated at the time of authorization. Your app can only access the assets that were designated by your business client when they completed the Facebook Login for Business flow.

Access is inherited from your app user's current account access; you can access the same business assets that the app user currently has access to.

Account association

Associated with your business client's business account rather than a specific user. Any admin in your business client's admin group can grant your app a System User access token.

Associated with your app user's personal account.

Expiration and refresh

Defaults to never expire for the common offline server-to-server communication.

A short-lived token for online activities such as web browsers.

OAuth grant type

Authorization Code grant only.

Implicit grant by default, and can support authorization code grant for improved security. Mainly used for user-agent based clients such as web browsers and mobile apps.

Invalidate Client Access Tokens

Your business clients can invalidate Business Integration System User access tokens by going to Business Manager > Settings > Business Settings > Integrations > Connected apps and removing your app.

Your business clients can invalidate User access tokens by going to Facebook and navigating to Settings & privacy > Settings > Security and login > Business Integrations and removing your app.

Login flow Experience

User access token login flowBusiness Integration User access token login flow
Something Went Wrong
We're having trouble playing this video.
Something Went Wrong
We're having trouble playing this video.

Get Started

To use Facebook Login for Business, you need to create a Business type app.

Create a Configuration

A configuration is a grouping of the token type, business assets, and permissions your app requires from business clients. This grouping will be presented to users as part of the login flow when they install your app. You can create multiple configurations and present them to different sets of users, depending on your app's needs. To create a configuration:

  1. Select your app in the App Dashboard
  2. Add the Facebook Login for Business product
  3. Select Configurations
  4. Click + Create Configuration
  5. Name your configuration
  6. Choose the type of access token you want to request from your business clients
  7. If you chose System User Access Token then select the assets your app needs access to
  8. Select the permissions your app needs
  9. Click Create

Create a WhatsApp Business Platform Embedded Signup configuration

To create a WhatApp Embedded Signup configuration, visit our WhatsApp Embedded Signup guide.

Create a Conversions API for Business Messaging configuration

To create a Conversions API for Business Messaging configuration, visit our Marketing API – Conversions API for Business Messaging guide.

Create an Instagram Graph API configuration

To create an Instagram Graph API configuration, visit our Instagram Graph API documentation.

Invoke a Login Dialog

You can invoke the Facebook Login for Business login dialog using our SDKs, or you can invoke the login dialog by manually building the login flow.

Invoking with our SDKS

You can use any of our SDKs to invoke the login dialog by replacing the list of scopes (permissions) your app needs with your configuration ID and the access token's required OAuth grant type.

If you are unfamiliar with our SDKs, we recommend that you first install the JavaScript SDK and get it working with the consumer Facebook Login product before proceeding, as the following examples reference the SDK.

Business Integration System User Access Token Configurations

Here's an example of the JavaScript SDK's FB.login() method modified to use a configuration for a System User access token. Note that config_id has replaced scope (which should not be used), the response_type has been set to code, since SUAT's require the authorization code grant type, and override_default_response_type must be set to true. When true, any response types passed in the response_type will take precedence over the default types.

FB.login(
  function(response) [
    console.log(response);
  ],
  [
    config_id: '<CONFIG_ID>',
    response_type: 'code',
    override_default_response_type: true
  ]
);

When the user completes the login dialog flow we will redirect the user to your redirect URL and include a code. You must then exchange this code for an access token by performing a server-to-server call to our servers.

GET https://graph.facebook.com/v20.0/oauth/access_token?
  client_id=<APP_ID>
  &client_secret=<APP_SECRET>
  &code=<CODE>

See Exchanging Code for an Access Token for more information about this step.

User Access Token Configurations

Here's an example of the JavaScript SDK's FB.login() method modified to use a configuration for a User access token. Note that config_id has replaced scope (although scope can still be included, we recommend that you do not use it).

FB.login(
  function(response) {
    console.log(response);
  },
  {
    config_id: '<CONFIG_ID>' // configuration ID goes here
  }
);

Here's an example of the JavaScript SDK's login button modified to use a User access token configuration:

<fb:login-button config_id="<CONFIG_ID>" onlogin="checkLoginState();">
</fb:login-button>

Invoking Manually

See Manually Building the Login Flow to learn how to invoke the login dialog manually. When invoking the login dialog and setting the redirect URL, include your configuration ID as an optional parameter (although scope can still be included, we recommend that you do not use it).

config_id=<CONFIG_ID>

Switch to Facebook Login for Business

It is recommended you conduct testing and learn about [potentially encountered problems before switching to Facebook Login for Business.

Facebook Login for Business is available to Business and eligible None type apps.

If your app is eligible to switch to Facebook Login for Business, you should be able to see an opt in banner by the following steps:

  1. Select your app in the App Dashboard
  2. Go to or add the Facebook Login product
  3. Click either Settings or Quickstart in the left side menu
  4. Click the “Get started with Facebook Login for Business” button at the top of the page.

Note that your current access tokens will not be impacted upon switching to Facebook Login for Business. Additionally, any test app(s) associated with this app will also switch to Facebook Login for Business.

After switching, your app type will be under Business type. If your app is not functioning as intended, each app is allowed to roll back to Facebook Login within 30 days after the switch.

Troubleshooting

Business clients might encounter error messages for the following reasons:

  • Config ID is invalid
  • Business System User Access Token is not currently supported on Mobile devices
  • Business System User Access Token is set up with incorrect response_type

Potential breaking changes:

  • If your app type is currently None, switching to Facebook Login for Business will change your app’s type to Business and will only retain access to the permissions, features and products listed above.
  • If you request permissions or features from business clients that Facebook Login for Business doesn’t support, those permissions and features will be revoked immediately once you switch your app to Facebook Login for Business.
  • If you only request email and/or public_profile from your business clients, switching the app to Facebook Login for Business will lead to the invalidation of all previously installed tokens for these clients.
  • If your app has both Facebook Login for Business and Meta Business Extension, the Meta Business Extension experience will be limited to permissions supported by Facebook Login for Business.
  • Business Asset User Profile Access may affect how user profile data is accessed and managed through our APIs.
  • Note that if the login dialog for Facebook Login for Business is invoked via configuration id, and if you decide to rollback to Facebook Login, the login dialog might fail to load as Facebook Login does not support the config_id parameter and you need to replace the config_id parameter with the scope parameter instead.

Learn more about Meta Business Extension.

Switch back to Facebook Login

Only available when an existing app has switched to Facebook Login for Business; Newly created Business Type apps cannot switch back to Facebook Login.

After switching to Facebook Login for Business, if your app is not functioning as intended after switching to Facebook Login for Business, you can roll back to Facebook Login by going to the App Dashboard > Facebook Login for Business > Settings and clicking the Switch to Facebook Login link. You will be presented with a survey which helps us improve the Facebook Login for Business configuration experience. Each app is allowed to roll back to Facebook Login within 30 days after the switch.

FAQs

Facebook Login for Business isn’t available for my app - what should I do?

The easiest way to add Facebook Login for Business is to create a new Business Type app, where Facebook Login for Business is automatically available, and request supported business permissions through App Review. If you want to use it for an existing None type app, your app must have advanced access to at least one supported business permission.

What should I use for authentication if my app is not intended for businesses or if I am not a Tech Provider building an app for other businesses to use?

If you are not a Tech Provider building solutions using Meta’s business APIs, Facebook Login is recommended for consumer authentication.

What permissions do I need to request when implementing Facebook Login for Business?

Only request the minimum permissions necessary for your app's functionality. Be transparent with users about why you need each permissions and features. Note that the email and public_profile permissions must be requested with at least one other supported business permission.

Is advanced access to the public_profile permission required before a Facebook Login for Business app goes live?

Yes, advanced access to the public_profile permission is required for Facebook Login for Business apps before they go live. This requirement is crucial to ensure that the app can support authorization from users who do not have an app role, commonly referred to as external users.