70

I'm building an app that allows users to administrate their Facebook Fan Pages. This requires the following two Access Tokens:

  1. A User Access Token
  2. A Page Access Token

I'm quite familiar with User Access Tokens, but not with Page Access Tokens.

Does anybody know how long the Page Access Token remains valid? All I can find on the Facebook website is this succinct paragraph, which doesn't mention anything about it's expiry.

Can I assume that if I am requesting the User Access Token with the offline_access permission the Page Access Token will also last indefinitely (unless the user changes their password or manually deauthorises my app)?

I'm asking because I want to know how often I should query the Facebook Graph API and acquire Page Access Tokens. Should I simply request them once when the user registers? Or should I request them one each API Call in the event they continuously change? The latter is obviously more taxing!

BartoszKP
  • 34,786
  • 15
  • 102
  • 130
dbau
  • 16,009
  • 2
  • 21
  • 31
  • 2
    +1 good question, and also well written. You should also put this up in the Facebook developer group on Facebook, if you haven't already. – bool.dev Oct 08 '11 at 13:32
  • 1
    +1 for a good question. This should definitely be added to the Facebook developer group and you should generate a request to add it to the documentation. My gut instinct says that these tokens will change just as user access tokens change over time. Hopefully someone can speak from experience. – Andrew Cox Oct 09 '11 at 04:06
  • very good question. I also want to know proper solution about your question. – Frank Myat Thu Sep 20 '12 at 02:27
  • Do we have an answer to this one yet? And if they do expire, is there a way to check how much time is left of a token? – atwellpub Jan 03 '13 at 16:30

8 Answers8

42

Page Tokens expire when the access token expires for the user that the page token was generated from. Edit 6.28.2013: If you extend the user access token and obtain a new page access token for the user, that page token will not expire unless the user de-authorizes your app.

Offline access has now been deprecated, but you are allowed to extend an access token to last for 60 days. If you extend the user's access token, then the page tokens generated from that user account will also have their expiration extended to match will not expire (edited 6.28.2013). The value for the page tokens may change after being extended, so be sure to grab new page tokens from the user's /accounts graph connection after extending the user token.

You can continue to extend these access tokens once per day. So you should regenerate the access tokens each day that the user interacts with your app.

See https://developers.facebook.com/docs/facebook-login/access-tokens/#pagetokens https://developers.facebook.com/docs/facebook-login/access-tokens/#extending https://developers.facebook.com/docs/facebook-login/
https://developers.facebook.com/roadmap/offline-access-removal/ https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

rmarscher
  • 5,596
  • 2
  • 28
  • 30
  • 3
    +1 for this answer. Here's how to confirm. **First** create a new app and enable the offline_access migraton. **Second**, grant an access token for `manage_pages` to that app in the [graph api explorer](https://developers.facebook.com/tools/explorer/?method=GET&path=me%2Faccounts). **Third**, look up your pages access tokens at `/me/accounts`. **Finally** use the [debug console](https://developers.facebook.com/tools/debug) to check the access token expiry. Indeed, after the migration, **page access tokens expire after 1 hour** instead of lasting indefinitely. Time to change your apps! – logan Apr 13 '12 at 18:15
  • `"the page tokens generated from that user account will also have their expiration extended to match"` is slightly misleading. By extending the user's access token, the existing **page access tokens expiry are NOT increased**. Instead, after extending a user's access token, **you can get new tokens from `/me/accounts`** – logan Apr 13 '12 at 18:28
  • Thanks @logan. I updated the response to note that page access tokens may change. From https://developers.facebook.com/roadmap/offline-access-removal/: `"If the access_token was originally generated from a client-side OAuth call or through a signed_request, the endpoint will actually return a new access_token."` So I think since you were testing with the graph api explorer, that access token was generated client-side and therefore changed after being extended. – rmarscher Apr 16 '12 at 21:50
  • 1
    Also, if you try to exchange a page access token (instead of exchanging the users access token), you will get this error `{"error_code":1,"error_msg":"An unknown error occurred"}` – logan Apr 17 '12 at 00:10
  • But here: https://developers.facebook.com/roadmap/offline-access-removal/#page_access_token I read "By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages.". Does this mean they NEVER expire? – Glooh May 10 '12 at 11:30
  • Facebook's documentation on the issue (long-lived page access tokens) doesn't match what happens in reality. See this Facebook bug: http://developers.facebook.com/bugs/461517520524921 – rinogo Jun 28 '12 at 21:49
  • This points in the right direction, but the answer (currently) below by @Simon.Ponder seems more actionable. Also, on the debugger, I'm getting "never" on the "Expires in" field :D – rapcal May 10 '13 at 04:15
  • I made some edits to this answer to update links and note that Page Tokens retrieved after extending the user access token no longer expire. I also upvoted the answer by @Simon.Ponder which is very good. – rmarscher Jun 28 '13 at 21:25
  • "You can continue to extend these access tokens once per day" -> How do you do this? – Tejas Manohar Jun 28 '16 at 21:21
  • @TejasManohar the latest documentation on extending access tokens is here - https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension I hope that helps you out. – rmarscher Jul 06 '16 at 00:35
12

You can extend a page access token to make it never expire. The documentation is a little muddy, but the following pages have pertinent information, and you will obviously need to be an administrator of the page. Pay close attention to scenario 4 and 5 at the second link.

https://developers.facebook.com/docs/reference/api/page/#page_access_tokens https://developers.facebook.com/roadmap/offline-access-removal/#page_access_token

It is simple using the graph explorer to retrieve tokens from Facebook. The graph explorer also allows you to debug the token which will list the expiration date, thus you can verify that it never expires. Graph Explorer: https://developers.facebook.com/tools/explorer

Click on the Get Access Token button to retrieve your token. Keeping your id in the query bar, simply append /accounts to your id, so that it looks like this: /123456789101112/accounts. Make sure it is a GET request (The drop-down to the left of the query bar).

This will retrieve all pages that you are configured to work with. You then need to make a GET request to:

/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN

Your APP_ID and APP_SECRET can be found in your applications administration settings. Use your personal access token as the final parameter (EXISTING_ACCESS_TOKEN). This will return a 60 day personal access token. Copy this token into the Access Token bar, which is above the query bar. Now make a GET request to USER_ID/accounts like we did towards the beginning. This will again return a list of pages that you are configured to work with.

But this time the page tokens that are listed with the pages do not expire. You can check this by copying a page token into the Access Token bar, and clicking the Debug button. This will give you details on that access token, including the expiration time, which should be never in this case.

UPDATE

I have also found that Facebook's graph explorer sometimes get confused with user context, and may not be reliable at all times. Alternatives are Fiddler or Postman.

Simon.Ponder
  • 492
  • 6
  • 14
  • 1
    I never read those Operation Developer Love posts because they make my palms sweat... But thanks to you, now I can finally rest after a long time having to daily update the evil "page access token" before my cron job run... :) – rapcal May 10 '13 at 04:09
  • @Simon.Ponder : do you know if this never expiring token will also work to fetch the user's stream (or other public streams)? I could wait two months to try, but would rather have a faster answer. thx –  Jun 26 '13 at 13:28
  • These tokens are for the application that an administrator would be approving, but besides that they function exactly like any other page access token. If you are asking about any user that visits the page, you would have to get the approval from each user. – Simon.Ponder Jun 26 '13 at 14:01
  • @Simon.Ponder thank you, thank you, thank you for the token that do not expire. – whitesiroi Jun 21 '16 at 05:11
4

I'm not sure if facebook has made changes to fix these bugs or not but it seems that user access tokens do not expire once page access tokens are granted for the user. Based on my testing the flow goes something like this:

  1. User access token requested -> 60 day user token is issued
  2. Page access tokens requested -> page access tokens issued that never expired and initial user access token is upgraded to never expire as well.

Hope this clears up some of the confusion on here. I have tested this with many different users in our app and see the same thing each time.

If page access tokens are never requested, the original user access token will expire after 60 days.

rvaldron
  • 106
  • 3
  • answering my own question, yes this still works. However, it doesn't work if the user doesn't have any pages (makes sense I guess) - is there any way to get this to work for users without pages? –  Jun 26 '13 at 13:23
  • Yes, this is still the case. I'll use page access token to be safe in case Facebook decides to fix this and invalidate user access tokens. – ozren1983 Jan 07 '15 at 13:32
2

Facebook page access token is very similar to User access token except that "it impersonates the user" as the admin of the page and allows to manage it [manage_page permission is required].

If Offline_access permission is granted to the app the page access_token WILL NOT expire (unless the user changes their password or manually deauthorises the app)

Use the following link to check the details of an issued access token.

https://developers.facebook.com/tools/debug/

Robin
  • 2,339
  • 1
  • 15
  • 11
  • Where did you get the information about the page's access token expiring if a user changes their password? Not that I don't believe you, but if it's based on undocumented behavior, I suspect that's subject to change (even more change than the documented behavior, which also changes all the time :) ) – Tom Lianza Jan 29 '12 at 08:58
  • :) What you said is right. Anything can change at anytime in Facebook without prior notice. :) This was found in the section describing functioning of Access tokens (it was a common description). I have also tested using the above link which proved to be valid. But like you said maybe it may change in future. – Robin Jan 31 '12 at 08:13
  • 4
    **This answer is out-dated**. See the answer by @rmarscher about offline_access being deprecated. – logan Apr 13 '12 at 18:32
1

See this https://developers.facebook.com/roadmap/offline-access-removal/#page_access_token According to this when you get short time access token and extend it to long live access token this will not expair for only page access token. See scenario 5: page access token

Ananda Subasinghe
  • 1,265
  • 2
  • 13
  • 24
1

Facebook's documentation on the issue (long-lived page access tokens) doesn't match what happens in reality. The documentation claims that page access tokens acquired via extended/long-lived user access tokens will never expire. However, in reality, these page access tokens expire in 60 days.

See the Facebook bug: http://developers.facebook.com/bugs/461517520524921

rinogo
  • 8,491
  • 12
  • 61
  • 102
1
  • Default Page access token are short-lived so they expire in 1 or 2 hours. If you want to make it last longer you need to extend the short-lived to a long-lived access token so it will last approximatively 2 months.
  • The permission offline_access is now deprecated.
  • The access token does not expire when a user change is password.

In another question I explain How to extend Page access token.

Community
  • 1
  • 1
FR6
  • 3,157
  • 3
  • 24
  • 28
0

Page access tokens are expired when the user's access token expired. You can extend user access token to last up to 60 days in order to make the page access token last long.

Check out my blog and follow the step by step instruction of getting extended access token and getting the fanpage access tokens as well.

ForceMagic
  • 6,230
  • 12
  • 66
  • 88
Thet Naing Swe
  • 1
  • 4
    Welcome to Stack Overflow! Thanks for posting your answer! Please be sure to read the [FAQ on Self-Promotion](http://stackoverflow.com/faq#promotion) carefully. Also note that it is *required* that you post a disclaimer every time you link to your own site/product. Also, please don't post shortened/obfuscated URLs; people should be able to see where their clicks are going to end up. – Andrew Barber Nov 11 '12 at 03:38