Generating and understanding facebook application access token

StackOverflow https://stackoverflow.com/questions/22714303

Question

First of all I was getting facebook page/group feed in my website using 60 days user access token.But i want a non-expired access token so is trying to use app access token.An app access token getting is easy just have to use it as "app id|secret key" format.But from facebook developer page, i came across this post - https://developers.facebook.com/docs/facebook-login/access-tokens/ and there the following - 

To generate an app access token, you need to make a Graph API call:

GET /oauth/access_token?
     client_id={app-id}
    &client_secret={app-secret}
    &grant_type=client_credentials

So i made server side call to this url and got a access token in same format having a "|" between.but app id at left side same as before but at right side there is another key not same as app secret key!. What does that mean? does this token non-expired too? and why secret key changed when generated by above call?? and can i use this generated token in client side call without any risk that if any hacker gets it, they can do no harm??

please lead me to right direction asap & what is the best way to get & use app access token.Thanks in advance

Was it helpful?

Solution

The app_id|app_secret version always works (and is also how f.e. the PHP SDK creates an app access token internally).

does this token non-expired too?

And app access tokens do not have any expiry time, ever.

and why secret key changed when generated by above call??

The second part of that token is not the app_secret – the whole thing is simply an access token for your app, with your app_id as the first part. The second part is “random” (well, somehow calculated as a hash of whatever by FB, but none of your concern).

and can i use this generated token in client side call without any risk that if any hacker gets it, they can do no harm??

Of course not – it is an app access token, and can be used to do everything that can be done in the name of your app.

An app access token is never to be used in client-side code, no matter how it was obtained.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top