Access Tokens

This guide explains how to get User and Page access tokens.

Get a Short-lived User Access Token

Use one of the following methods to get a short-lived User access token:

These methods create a short-lived User access token that is valid for 1 hour.

Get a Long-lived User Access Token

Before You Start

You will need the following:

To get a long-lived User access token, send a GET request to the /oauth/access_token endpoint. Replace APP-ID, APP-SECRET, and SHORT-LIVED-USER-ACCESS-TOKEN with your information.

curl -i -X GET "https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&
  client_id=APP-ID&
  client_secret=APP-SECRET&
  fb_exchange_token=SHORT-LIVED-USER-ACCESS-TOKEN"

On success, your app gets this response:

{
  "access_token": "LONG-LIVED-USER-ACCESS-TOKEN",
  "token_type": "bearer",
  "expires_in": SECONDS-UNTIL-TOKEN-EXPIRES
}

This token is valid for 60 days.

Get a Page Access Token

Before You Start

  • A User access token requested by a person who can perform the action on the Page. For example, to moderate comments the person generating the token must be able to perform the MODERATE task the Page.
  • The Facebook ID of the Page you want to access

To get a Page access token, send a GET request to the /PAGE-ID endpoint using your User access token. Replace PAGE-ID and USER-ACCESS-TOKEN with your information.

curl -i -X GET "https://graph.facebook.com/PAGE-ID?
  fields=access_token&
  access_token=USER-ACCESS-TOKEN"

On success, your app receives this response:

{
  "access_token":"PAGE-ACCESS-TOKEN",
  "id":"PAGE-ID"              
}
  • If you used a short-lived User access token, the Page access token is valid for 1 hour.
  • If you used a long-lived User access token, the Page access token has no expiration date.

Get Access Tokens of Pages You Manage

Before You Start

You will need:

To get list of Pages and their corresponding Page access tokens, send a GET request to the /USER-ID/accounts endpoint. Replace USER-ID and USER-ACCESS-TOKEN with your information.

curl -i -X GET "https://graph.facebook.com/USER-ID/accounts?
  fields=name,access_token&
  access_token=USER-ACCESS-TOKEN"

On success, your app receives the following response:

{
  "data": [
    {
      "name": "Facebook Page 1",
      "access_token": "PAGE-1-ACCESS-TOKEN",
      "id": "PAGE-1-ID"
    },
    {
      "name": "Facebook Page 2",
      "access_token": "PAGE-2-ACCESS-TOKEN",
      "id": "PAGE-2-ID"
    },
    {
      "name": "Facebook Page 3",
      "access_token": "PAGE-3-ACCESS-TOKEN",
      "id": "PAGE-3-ID"
    },
...

Limitations

  • Short-lived User access tokens are valid for one hour.
  • Long-lived User access tokens are valid for 60 days.
  • Short-lived Page access tokens are valid for one hour.
  • Long-lived Page access tokens are have no expiration date.

All long-lived access tokens may be invalidated before they expire, even non-expiring Page access tokens under certain circumstances. An access token is invalidated if a password changes, if the user who requested the token no longer has a role on the app or Page, or when a security issue has been detected.

Invalidate a Token

To invalidate a Page or User access token, the person that created the token will need to remove and then re-add the App. This will invalidate all access tokens created by that person for the App. The following help articles describe how to remove an app from a user or business.

The App can then be re-added by getting a User Access Token, or logging into the App.

Learn More

Guides

  • Facebook Login – Learn more about using Facebook Login to request permissions used to access the Graph API.
  • User Node Reference - Learm more about the fields, edges, and methods of the User Node.
  • Page Node Reference – Learm more about the fields, edges, and methods of the Page Node.
  • Access Tokens - Learm more about the fields, edges, and methods of the User Node.

Tools