Permissions with Facebook Login

When a person logs into your app via Facebook Login you can access a subset of that person's data stored on Facebook. Permissions are how you ask someone if you can access that data. A person's privacy settings combined with what you ask for will determine what you can access.

Requesting & RevokingReviewPermissions Reference

Facebook Login Example

Permissions are strings that are passed along with a login request or an API call. Here are two examples of permissions:

  • email - Access to a person's primary email address.
  • user_likes - Access to the list of things a person likes.

For example, if you add the login button to a web app and ask for email and user_likes via the scope parameter, a person would be prompted with this dialog when logging in for the first time:

Your app has requested a person's email address and the things they like but that request also automatically asks for access to a person's public profile. The full list of permissions, including defaults, is included in the Permissions Reference.

We provide similar mechanisms for iOS and Android. Links are provided for each platform later in this document.

When to ask for Permissions

Your app can ask for additional permissions at any time, even after a person logs in for the first time. For example, the publish_actions permission lets you post to a person's Facebook Timeline. It's recommended you ask for this permission only when a person is ready to publish a story to Facebook. When you ask for new permissions, the person using your app will be asked about those new permissions and has the ability to opt out. For more information, see Optimizing Permissions Requests.

Permissions only need to be granted once per app, i.e. permissions granted on one platform are effectively granted on all the platforms your app supports.

User Control

Facebook Login allows a person to grant only a subset of permissions that you ask for to your app, except for public profile, which is always required. This is available as a separate screen in the login dialog when you ask for permissions:

Your app should handle the case where someone had declined to grant your app one of the permissions you requested.

Revoked Permissions

People can also revoke permissions granted to your app in Facebook's interface at any time after they have logged in. It is important that your app regularly checks which permissions have been granted, especially when launching on a new platform. We provide methods for you to check what permissions are currently granted to your app.

Granular Permissions

People can grant your app permissions for Pages, Groups, and business assets they manage at the individual level. For example, someone who manages several Pages, may grant your app permission for only a particular page or for only some of the Page.

People choose which permissions they grant through a permission request flow. For example, if an app requests Page and Groups permission, people receive a request to grant those permissions.

If they don't grant all the requested permisions, they can manage what sorts of permissions they grant.

They can also choose which Pages, Groups, or business assets they grant permissions for.

If someone initially grants only some of the requested permissions, they can later change which permissions they allow through the app settings page. However, if they update this to grant all permissions, they will no longer be able use the app settings page to change the permissions they have granted.

People can manage the following permissions at the individual level: