Access Tokens

This guide explains how to get User and Page access tokens.

Get a Short-lived User Access Token

Use one of the following methods to get a short-lived User access token:

These methods create a short-lived User access token that is valid for 1 hour.

Get a Long-lived User Access Token

To get a long-lived User access token you will first create a short-lived User access token. Next, you will exchange the short-lived User access token for a long-lived User access token. This token is valid for 60 days.

Send a GET request to the /oauth/access_token endpoint. Replace {app-id}, {app-secret}, and {access-token} with your information.

curl -i -X GET "https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&
  client_id={app-id}&
  client_secret={app-secret}&
  fb_exchange_token={short-lived-user-access-token}"

On success, your app gets this response:

{
  "access_token": "{long-lived-user-access-token}",
  "token_type": "bearer",
  "expires_in": {seconds-until-token-expires}
}

This token is valid for 60 days.

Get a Page Access Token

To get a Page access token, you will need a User access token. This User access token must be generated by a person who can perform the action on the Page. For example, to moderate comments the person generating the token must be able to MODERATE the Page.

Send a GET request to the /{page-id} endpoint using your User access token. For example:

curl -i -X GET "https://graph.facebook.com/{page-id}?
  fields=access_token&
  access_token={user-access-token}"

On success, your app receives this response:

{
  "access_token":"{page-access-token}",
  "id":"{page-id}"              
}
  • If you used a short-lived User access token, the Page access token is valid for 1 hour.
  • If you used a long-lived User access token, the Page access token has no expiration date.

Get Access Tokens of Pages You Manage

To get list of Pages and their corresponding Page access tokens, you will need a User access token and the pages_show_list permission.

The person requesting the User access token must be able to perform a task on the Page for it to be returned.

Send a GET request to the /{user-id}/accounts endpoint:

curl -i -X GET "https://graph.facebook.com/{user-id}/accounts?
  fields=name,access_token&
  access_token={user-accesss-token}"

On success your app receives the following response:

{
  "data": [
    {
      "name": "Facebook Page 1",
      "access_token": "{page-access-token-for-Page-1}",
      "id": "{page-1-id}"
    },
    {
      "name": "Facebook Page 2",
      "access_token": "{page-access-token-for-Page-2}",
      "id": "{page-2-id}"
    },
    {
      "name": "Facebook Page 3",
      "access_token": "{page-access-token-for-Page-3}",
      "id": "{page-3-id}"
    },
...

Limitations

  • Short-lived User access tokens are valid for one hour.
  • Long-lived User access tokens are valid for 60 days.
  • Short-lived Page access tokens are valid for one hour.
  • Long-lived Page access tokens are have no expiration date.

All long-lived access tokens may be invalidated before they expire, even non-expiring Page access tokens under certain circumstances. An access token is invalidated if a password changes, if the user who requested the token no longer has a role on the app or Page, or when a security issue has been detected.

Invalidate a Token

To invalidate a Page or User access token, the person that created the token will need to remove and then re-add the App. This will invalidate all access tokens created by that person for the App. The following help articles describe how to remove an app from a user or business.

The App can then be re-added by getting a User Access Token, or logging into the App.

Learn More