trying to get app access token

Question

I tried to get an app-access-token for my facebook app with this code:

APP_ACCESS_TOKEN = FB.api(
    "oauth/access_token",
    {client_id: APP_ID, client_secret: APP_SECRET_CODE, redirect_uri: uri},
    function(response){
    console.log(response);
});

which should be like:

GET https://graph.facebook.com/oauth/access_token?
        client_id=YOUR_APP_ID
       &client_secret=YOUR_APP_SECRET
       &redirect_uri=uri

but i get an error:

code: 1
message: "Missing authorization code"
type: "OAuthException"

What is the authorization code and how can i get it?

Sorry I can´t remember. Too long ago. It was during a lab. – Franz Deschler Feb 24 '14 at 16:35 — Franz Deschler, Feb 24 '14 at 16:35

score 70 · Answer 1 · edited Dec 25 '14 at 10:19

70

Obtaining an App Access Token

To obtain an App Access Token, invoke the following HTTP GET request:

GET https://graph.facebook.com/oauth/access_token?
            client_id=YOUR_APP_ID
           &client_secret=YOUR_APP_SECRET
           &grant_type=client_credentials

The API will respond with a query-string formatted string of the form:

access_token=YOUR_APP_ID|YOUR_APP_ACCESS_TOKEN

Reference: http://developers.facebook.com/docs/opengraph/howtos/publishing-with-app-token/

edited Dec 25 '14 at 10:19

Line

1,529
3
18
42

answered May 07 '13 at 06:28

Avantaj Tvm

719
5
2

4

Updated link: https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens – John Douthat Oct 24 '14 at 12:34
6

What is client_credentials ? – Vlas Bashynskyi Apr 05 '16 at 15:37
@VlasBashynskyi if you're asking what value you're suppose to enter there, you're not, it's not a placeholder it's the actual value you use. If you're asking what it does, not sure but probably let's facebook know you want client credentials of some sort. – Goose Nov 08 '16 at 20:32
3

As of 4/27/17 the api response format has changed and it's returning `{"access_token":"YOUR_APP_ID|YOUR_APP_ACCESS_TOKEN","token_type":"bearer"}` – Guig Mar 27 '17 at 23:11
it's OK to expose the client (APP) secret? – kimo Jun 10 '17 at 15:52
I'm not sure that exposing the APP client secret in the code is a good idea, you can take the APP token from Facebook tool "Access Token Tool" just copy the token to your code https://developers.facebook.com/tools-and-support/ – kimo Jun 17 '17 at 16:14
What could be the reason for not getting the access token sometimes? – Sanjay Kumar N S Jul 18 '17 at 14:26

score 45 · Answer 2 · answered Oct 18 '12 at 09:21

45

https://developers.facebook.com/docs/howtos/login/login-as-app/:

“Because it requires you to include your App Secret you should not attempt to make this call client-side as that would expose this secret to all your app users. It is important that your App Secret is never shared with anyone. For this reason, this call should be performed server-side”

And for the app access token, it’s the same – you should never use it client-side, because every user could spot it there and then start using it to perform actions on behalf of your app (or change many of your app’s settings).

If you have a server-side part to your application, you can simply “build” the app access token there yourself, concatenating app id and secret with a pipe symbol, app_id|app_secret.

answered Oct 18 '12 at 09:21

CBroe

91,630
14
92
150

3

thanks a lot for the info how the access token is being created! – Ron Jan 30 '13 at 14:43
Can people still see it client side even if you hide your .js files? – Ben Pearce May 08 '13 at 07:17
2

Of course they can, there is no "hiding" of client-side scripts. – CBroe May 08 '13 at 07:51
12

@CBroe Thanks for the sharing the `app_id|app_secret` concatenate method of having a **permanent access token**. I was looking for hours for an answer to this. – marco alves Jun 18 '13 at 14:50
Do we need to submit the Facebook app to review incase we use app token (Permanent token)?. We are using this app token only to get the likes count Facebook page. There is user login at all. – Jayaprakash Oct 08 '15 at 04:59
@Jayaprakash: If you are not using any permissions and don’t even have user login implemented, then there of course is nothing to submit. – CBroe Oct 08 '15 at 09:22
@CBroe: Thanks for your reply. But, when I use the app token of newly created Facebook app in the Graph API, the like count is not coming in response (API: https://graph.facebook.com/?access_token= ). When I use the app token of other Facebook apps which is already submitted for review and approved (has manage_pages permission enabled), it works. Since it is not documented clearly, we have a doubt that, do we need to send it for review by requesting mange_pages permission. Or does it requires any other permission? – Jayaprakash Oct 09 '15 at 06:21
You can not have an _app_ token with `manage_pages` permission. Is the page that you are trying to get the like count from public, and not restricted in any way (alcohol-related content, age, country, …)? If it is restricted, you can not use your app access token, you need to use a user access token for a user that is allowed to see it, or a page access token. – CBroe Oct 09 '15 at 07:15
@CBroe: I have tested this in our testing page (http://facebook.com/knowdepage123), there is no restricted content in this. For this page, an app token of already existing Facebook app (which has manage_pages permission) works, but the app token of newly created Facebook app is not working. Recently, I have sent the app for review by requesting manage_pages permission, but they rejected our app as there is no Facebook login functionality in our app. Please help us how to proceed. Is there any contact for Facebook review team? – Jayaprakash Oct 13 '15 at 05:20
@Jayaprakash: This is getting a bit too broad here, for the context of the original question. May I suggest you create your own question, and describe the issue in there. – CBroe Oct 13 '15 at 07:31
Yes. Thanks. Created the question http://stackoverflow.com/questions/33107620/do-review-required-if-we-want-to-get-facebook-page-like-count-without-facebook – Jayaprakash Oct 13 '15 at 16:13

score 1 · Answer 3 · edited Jul 22 '18 at 17:24

check if users of the node.js or the JAVASCRIPT.

getLongLiveToken: function(data){
    FB.api('oauth/access_token', {
        client_id: data.client_id, // FB_APP_ID
        client_secret: data.secret, // FB_APP_SECRET
        grant_type: 'fb_exchange_token',
        fb_exchange_token: data.access_token // USER_TOKEN
    }, function (res) {
        if (!res || res.error) {
            console.log(!res ? 'error occurred' : res.error);
        } else {
            var accessToken = res.access_token;
            if(typeof accessToken != 'undefined'){}
        }
    });
}

score 0 · Answer 4 · answered Jun 17 '17 at 16:15

0

I'm not sure that exposing the APP client secret in the code is a good idea, you can take the APP token from Facebook tool "Access Token Tool" just copy the token to your code for any use https://developers.facebook.com/tools-and-support/

answered Jun 17 '17 at 16:15

kimo

1,864
5
23
29

score 0 · Answer 5 · answered Oct 28 '17 at 22:17

You can also use this POST endpoint without generating the token, just be sure its being called from the server not client-side where the app_secret is exposed to public:

https://graph.facebook.com/?id={url}&scrape=true&access_token={app_id}|{app_secret}

trying to get app access token

5 Answers5

Linked