Facebook Login for Business
Facebook Login for Business is the preferred authentication and authorization solution for Tech Providers and business app developers who need access to their business clients' assets. It allows you to specify the access token type, types of assets, and permissions your app needs, and save it as a set (configuration). You can then present the set to your business clients who can complete the flow and grant your app access to their business assets. If you are not a Tech Provider, or you are not building a business app for use by other businesses, use Facebook Login as your authentication solution instead. |
Access Tokens
You can use Facebook Login for Business to get either System User access tokens or User access tokens.
System User Access Tokens
System User access tokens (SUATs) should be used if your app performs programmatic, automated actions on your business clients' Ad objects or Pages without having to rely on input from an app user, or require re-authentication at a future date. For example:
- Hourly, automated server-to-server conversion API calls
- Sending automated responses as a Page.
- Continuous, automated updates to product catalog inventories.
- Automated retrieval of ads insights.
Although System User access tokens are associated with a business client's system user, tokens generated by the Facebook Login for Business flow cannot be invalided via the System User tab in the Business Manager. Instead, your business clients must go to the Business Manager > Business Settings > Integrations > Connected Apps tab and click the Remove app button to uninstall your app, which will invalidate the tokens.
In order to be able to get SUATs from your business clients:
- Your app cannot request logins from mobile surfaces (i.e Android, iOS, etc).
- Your app must be associated with a Meta Business account.
- The business client completing the Facebook Login for Business flow must have, or be willing to create, a Meta business account.
User Access Tokens
User access tokens should be used if your app takes actions in real time, based on input from the user. For example, use a User access token if your app requires a user to input text and click a button in order to post content to their page. User access tokens should also be used if you require an API that requires admin permissions on a Meta Business Account.
Comparison
| System User access tokens | User access tokens | |
|---|---|---|
Account association | Associated with your business client's business account rather than a specific user. Any admin in your business client's admin group can grant your app a System User access token. | Associated with your app user's personal account. |
OAuth grant type | Authorization Code only. | Implicit by default. Mainly used for user-agent based clients such as web browsers and mobile apps. |
Expiration and refresh | Defaults to never expire for the common offline server-to-server communication. | A short-lived token for online activities such as web browsers. |
Access Designations | Access is explicitly delegated at the time of authorization. Your app can only access the assets that were designated by your business client when they completed the Facebook Login for Business flow. | Access is inherited from your app user's current account access; you can access the same business assets that the app user currently has access to. |
Create a configuration
A configuration is a grouping of the token type, business assets, and permissions your app requires from business clients. This grouping will be presented to users as part of the authentication and authorization flow when they install your app. You can create multiple configurations and present them to different sets of users, depending on your app's needs. To create a configuration you will:
-
Load your app in the
App Dashboard
- Add the Facebook Login for Business product
- Click Configurations
- Click + Create Configuration
- Name your configuration
- Choose the type of access token you want to request from your business clients
- If you chose System User Access Token then select the assets your app needs access to
- Select the permissions your app needs
- Click Create
Creating a configuration will generate a configuration ID, which you can then use with our SDKs (or manually).
Create a WhatsApp Embedded Signup configuration
WhatApp Embedded Signup is exclusively accessible for Business Solution Providers (BSPs) only.
-
Load your app in the
App Dashboard
- Add the Facebook Login for Business product
- Click Configurations
- Click + Create Configuration
- Name your configuration
- Choose WhatsApp Embedded Signup, which will enable your app’s onboarding to WhatsApp Embedded Signup. For WhatsApp Embedded Signup, only System User Access Token is available for use
- Choose token expiration. We recommend choosing 60 days. It helps minimize the risk of a leaked token and enhances the security of your system.
- Choose the assets your app needs access to. This step is only available if you chose System User Access Token in the previous step, and WhatsApp accounts cannot be deselected
- Select the following permissions for your app:
whatsapp_business_managementandwhatsapp_business_messaging - Click Create
Invoke a Login Dialog
You can invoke the Facebook Login for Business login dialog using our SDKs, or you can invoke the login dialog by manually building the login flow.
Invoking with our SDKS
You can use any of our SDKs to invoke the login dialog by replacing the list of scopes (permissions) your app needs with your configuration ID and the access token's required OAuth grant type.
If you are unfamiliar with our SDKs, we recommend that you first install the JavaScript SDK and get it working with the consumer Facebook Login product before proceeding, as the following examples reference the SDK.
System User Access Token Configurations
Here's an example of the JavaScript SDK's FB.login() method modified to use a configuration for a System User access token. Note that config_id has replaced scope (which should not be used), the response_type has been set to code, since SUAT's require the authorization code grant type, and override_default_response_type must be set to true. When true, any response types passed in the response_type will take precedence over the default types.
FB.login(
function(response) [
console.log(response);
],
[
config_id: '<CONFIG_ID>',
response_type: 'code',
override_default_response_type: true
]
);
When the user completes the login dialog flow we will redirect the user to your redirect URL and include a code. You must then exchange this code for an access token by performing a server-to-server call to our servers.
GET https://graph.facebook.com/v18.0/oauth/access_token?
client_id=<APP_ID>
&client_secret=<APP_SECRET>
&code=<CODE>
See Exchanging Code for an Access Token for more information about this step.
User Access Token Configurations
Here's an example of the JavaScript SDK's FB.login() method modified to use a configuration for a User access token. Note that config_id has replaced scope (although scope can still be included, we recommend that you do not use it).
FB.login(
function(response) {
console.log(response);
},
{
config_id: '<CONFIG_ID>' // configuration ID goes here
}
);
Here's an example of the JavaScript SDK's login button modified to use a User access token configuration:
<fb:login-button config_id="<CONFIG_ID>" onlogin="checkLoginState();"> </fb:login-button>
Invoking Manually
See Manually Building the Login Flow to learn how to invoke the login dialog manually. When invoking the login dialog and setting the redirect URL, include your configuration ID as an optional parameter (although scope can still be included, we recommend that you do not use it).
config_id=<CONFIG_ID>
Supported Permissions
You may request the following permissions from your business clients. Note that unlike Facebook Login, Facebook Login for Business requires your business client to grant all of the permissions that you specify in your configuration.
| Available Permissions | User access tokens | System User access tokens |
|---|---|---|
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
email * | ✓ | N/A |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
manage_fundraisers | ✓ | ✓ |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | N/A | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ |
The email and public_profile permissions are automatically granted to all apps however they must be used with at least one other supported permission.
The public_profile permission is automatically granted to all apps however it will not be returned in the scope parameter unless at least one other supported permission, excluding email, is granted by an app user.
Switch to Facebook Login
Facebook Login for Business is only compatible with the permissions listed above. If your app requires different permissions you will have to use Facebook Login instead.
You can switch to Facebook Login by going to the App Dashboard > Facebook Login for Business > Settings and clicking the Switch to Facebook Login link. You will be presented with a survey which helps us improve the Facebook Login for Business configuration experience.
System User Access Token Flow Testing
System User access token flow requires the login user to have a Meta Business account, below describes how you can test your application's SUAT flow.
- If the app is in dev mode: the tester needs to become the admin of client business, partner business, and app.
- If the app is in prod mode: you need to submit an app review to request advanced permissions. The access token generated in DEV mode will lose all standard permissions.
Client Invalidating System User Access Tokens
Your business clients can invalidate System User access tokens by going to Business Manager > Settings > Business Settings > Integrations > Connected apps and removing your app.
For User access tokens, your business clients can remove the app by going to Facebook and navigating to Settings & privacy > Settings > Security and login > Business Integrations and removing your app.