Facebook Login for Business is the preferred authentication and authorization solution for Tech Providers building integrations with Meta’s business tools to create marketing, messaging, and selling solutions.
Compared to Facebook Login, Facebook Login for Business allows you to specify the access token type, types of assets, and permissions your app needs, and save it as a set (configuration). You can then present the set to your business clients who can complete the flow and grant your app access to their business assets. It allows you to choose between different access tokens based on your apps’ needs.
Most of the apps that can access user data must go through Ongoing Review. Additionally, apps using Facebook Login for Business have reduced requirements for certain ongoing compliance reviews because they are limited to accessing business permissions and features.
You may request the following permissions from your business clients. Note that unlike Facebook Login, Facebook Login for Business requires your business client to grant all of the permissions that you specify in your configuration.
The email
and public_profile
permissions are automatically granted to all apps. However, they must be used with at least one other supported permission for each app installation.
The public_profile
permission is automatically granted to all apps however it will not be returned in the scope
parameter unless at least one other supported permission, excluding email
, is granted by an app user.
Available Permissions | User access tokens | Business Integration System User access tokens |
---|---|---|
ads_management | ✓ | ✓ |
ads_read | ✓ | ✓ |
business_management | ✓ | ✓ |
catalog_management | ✓ | ✓ |
commerce_account_manage_orders | ✓ | ✓ |
commerce_account_read_orders | ✓ | ✓ |
commerce_account_read_reports | ✓ | ✓ |
commerce_account_read_settings | ✓ | ✓ |
commerce_manage_accounts | ✓ | ✓ |
email * | ✓ | N/A |
instagram_basic | ✓ | ✓ |
instagram_content_publish | ✓ | ✓ |
instagram_manage_comments | ✓ | ✓ |
instagram_manage_insights | ✓ | ✓ |
instagram_manage_messages | ✓ | ✓ |
instagram_shopping_tag_products | ✓ | ✓ |
leads_retrieval | ✓ | ✓ |
manage_fundraisers | ✓ | ✓ |
pages_manage_cta | ✓ | ✓ |
page_events | ✓ | ✓ |
pages_manage_ads | ✓ | ✓ |
pages_manage_engagement | ✓ | ✓ |
pages_manage_instant_articles | ✓ | ✓ |
pages_manage_metadata | ✓ | ✓ |
pages_manage_posts | ✓ | ✓ |
pages_messaging | ✓ | ✓ |
pages_read_engagement | ✓ | ✓ |
pages_read_user_content | ✓ | ✓ |
pages_show_list | ✓ | ✓ |
private_computation_access | ✓ | ✓ |
public_profile * | ✓ | N/A |
publish_video | ✓ | ✓ |
read_insights | ✓ | ✓ |
read_audience_network_insights | ✓ | ✓ |
whatsapp_business_management | ✓ | ✓ |
whatsapp_business_messaging | ✓ | ✓ |
|
|
|
You can use Facebook Login for Business to get either Business Integration System User access tokens or User access tokens.
User access tokens should be used if your app takes actions in real time, based on input from the user. For example, use a User access token if your app requires a user to input text and click a button in order to post content to their Page. User access tokens should also be used if you require an API that requires admin permissions on a Business Portfolio.
Business Integration System User access tokens should be used if your app performs programmatic, automated actions on your business clients' assets without having to rely on input from an app user, or require re-authentication at a future date. For example:
To get Business Integration User access tokens from your business clients:
To test the Business Integration System User access token flow, the tester must have a role on the app and full control of the client business.
Business Integration System User | Regular System User | |
---|---|---|
Access | Can be accessed by the Tech Providers only. | Can only be accessed by the business users within the same business. |
Representation | Part of the Tech Provider integration's infrastructure, initialized by client business through Tech Provider’s App installation. | Represents servers or software making API calls to assets owned or managed by a Business Manager. |
Token Invalidation | Access tokens cannot be invalidated via the System User tab in the Business Manager. Instead, business clients must go to Business Manager > Business Settings > Integrations > Connected Apps tab and click Remove app to uninstall the app, which will invalidate the tokens. | Not applicable. |
If you need different access setups for different purposes or departments, you can use multiple granular Business Integration System User access tokens per client business to improve the scalability and security of your integrations.
Granular access tokens are still specific to a client business portfolio. They are not shareable and accessible across different client businesses. Their scope and asset list are a subset of the original Business Integration System User access token.
To isolate potential security incidents in the event of a compromised token, only that specific client business will be impacted, instead of impacting all Business Portfolios across all client businesses.
When a client business installs an app through Facebook Login for Business and generates a Business Integration System User access token, the token includes a client business ID. This ID represents the client business and is used by your app to make API calls.
The /<CLIENT_BUSINESS_ID>/system_user_access_tokens
endpoint allows you to manage your existing Business Integration System User access tokens. Actions include:
Object | Description |
---|---|
| Required. This access token requires the |
| Required.
The |
| Optional.
When you want to generate a more granular token, you can set a list of |
| Optional. The flag you want to use to fetch the existing token and indicate this operation is read only |
| Optional.
When you want to generate a more granular token, you can set a list of |
| Optional.
When you generate a new token, set to |
| Optional. The ID for the system user included in the access token. |
Formatted for readability.
curl -i -X POST "https://graph.facebook.com/v20.0
/<CLIENT_BUSINESS_ID>/system_user_access_tokens
?appsecret_proof=<APPSECRET_PROOF_HASH>
&access_token=<ACCESS_TOKEN>
&system_user_id=<SYSTEM_USER_ID>
&fetch_only=true"
On success your app receives a JSON response with a new access token to be used in subsequent API calls.
{ "access_token": "<NEW_ACCESS_TOKEN>" }
Business Integration System User access tokens | User access tokens | |
---|---|---|
Access Designations | Access is explicitly delegated at the time of authorization. Your app can only access the assets that were designated by your business client when they completed the Facebook Login for Business flow. | Access is inherited from your app user's current account access; you can access the same business assets that the app user currently has access to. |
Account association | Associated with your business client's business account rather than a specific user. Any admin in your business client's admin group can grant your app a System User access token. | Associated with your app user's personal account. |
Expiration and refresh | Defaults to never expire for the common offline server-to-server communication. | A short-lived token for online activities such as web browsers. |
OAuth grant type | Authorization Code grant only. | Implicit grant by default, and can support authorization code grant for improved security. Mainly used for user-agent based clients such as web browsers and mobile apps. |
Your business clients can invalidate Business Integration System User access tokens by going to Business Manager > Settings > Business Settings > Integrations > Connected apps and removing your app.
Your business clients can invalidate User access tokens by going to Facebook and navigating to Settings & privacy > Settings > Security and login > Business Integrations and removing your app.
User access token login flow | Business Integration User access token login flow |
---|---|
To use Facebook Login for Business, you need to create a Business type app.
A configuration is a grouping of the token type, business assets, and permissions your app requires from business clients. This grouping will be presented to users as part of the login flow when they install your app. You can create multiple configurations and present them to different sets of users, depending on your app's needs. To create a configuration:
To create a WhatApp Embedded Signup configuration, visit our WhatsApp Embedded Signup guide.
To create a Conversions API for Business Messaging configuration, visit our Marketing API – Conversions API for Business Messaging guide.
To create an Instagram Graph API configuration, visit our Instagram Graph API documentation.
You can invoke the Facebook Login for Business login dialog using our SDKs, or you can invoke the login dialog by manually building the login flow.
You can use any of our SDKs to invoke the login dialog by replacing the list of scopes (permissions) your app needs with your configuration ID and the access token's required OAuth grant type.
If you are unfamiliar with our SDKs, we recommend that you first install the JavaScript SDK and get it working with the consumer Facebook Login product before proceeding, as the following examples reference the SDK.
Here's an example of the JavaScript SDK's FB.login()
method modified to use a configuration for a System User access token. Note that config_id
has replaced scope
(which should not be used), the response_type
has been set to code
, since SUAT's require the authorization code grant type, and override_default_response_type
must be set to true
. When true, any response types passed in the response_type
will take precedence over the default types.
FB.login( function(response) [ console.log(response); ], [ config_id: '<CONFIG_ID>', response_type: 'code', override_default_response_type: true ] );
When the user completes the login dialog flow we will redirect the user to your redirect URL and include a code. You must then exchange this code for an access token by performing a server-to-server call to our servers.
GET https://graph.facebook.com/v20.0
/oauth/access_token?
client_id=<APP_ID>
&client_secret=<APP_SECRET>
&code=<CODE>
See Exchanging Code for an Access Token for more information about this step.
Here's an example of the JavaScript SDK's FB.login()
method modified to use a configuration for a User access token. Note that config_id
has replaced scope
(although scope
can still be included, we recommend that you do not use it).
FB.login( function(response) { console.log(response); }, { config_id: '<CONFIG_ID>' // configuration ID goes here } );
Here's an example of the JavaScript SDK's login button modified to use a User access token configuration:
<fb:login-button config_id="<CONFIG_ID>" onlogin="checkLoginState();"> </fb:login-button>
See Manually Building the Login Flow to learn how to invoke the login dialog manually. When invoking the login dialog and setting the redirect URL, include your configuration ID as an optional parameter (although scope can still be included, we recommend that you do not use it).
config_id=<CONFIG_ID>
It is recommended you conduct testing and learn about [potentially encountered problems before switching to Facebook Login for Business.
Facebook Login for Business is available to Business and eligible None type apps.
If your app is eligible to switch to Facebook Login for Business, you should be able to see an opt in banner by the following steps:
Note that your current access tokens will not be impacted upon switching to Facebook Login for Business. Additionally, any test app(s) associated with this app will also switch to Facebook Login for Business.
After switching, your app type will be under Business type. If your app is not functioning as intended, each app is allowed to roll back to Facebook Login within 30 days after the switch.
Business clients might encounter error messages for the following reasons:
Potential breaking changes:
email
and/or public_profile
from your business clients, switching the app to Facebook Login for Business will lead to the invalidation of all previously installed tokens for these clients. config_id
parameter and you need to replace the config_id
parameter with the scope
parameter instead.Learn more about Meta Business Extension.
Only available when an existing app has switched to Facebook Login for Business; Newly created Business Type apps cannot switch back to Facebook Login.
After switching to Facebook Login for Business, if your app is not functioning as intended after switching to Facebook Login for Business, you can roll back to Facebook Login by going to the App Dashboard > Facebook Login for Business > Settings and clicking the Switch to Facebook Login link. You will be presented with a survey which helps us improve the Facebook Login for Business configuration experience. Each app is allowed to roll back to Facebook Login within 30 days after the switch.
The easiest way to add Facebook Login for Business is to create a new Business Type app, where Facebook Login for Business is automatically available, and request supported business permissions through App Review. If you want to use it for an existing None type app, your app must have advanced access to at least one supported business permission.
If you are not a Tech Provider building solutions using Meta’s business APIs, Facebook Login is recommended for consumer authentication.
Only request the minimum permissions necessary for your app's functionality. Be transparent with users about why you need each permissions and features. Note that the email
and public_profile
permissions must be requested with at least one other supported business permission.
Yes, advanced access to the public_profile
permission is required for Facebook Login for Business apps before they go live. This requirement is crucial to ensure that the app can support authorization from users who do not have an app role, commonly referred to as external users.