How to get a new 'short lived' facebook access token (serverside) with the previously used permissions while not using the api explorer?

Question

Intro

---

I've got a little Facebook fan page I'm posting updates on. To do that I'm using a long lived access token which expires every 60 days with the permissions: 'manage_pages' and 'publish_stream'.

Upon researching I've found no "this is it" solution, so I went creating a new post describing my problem while linking up everything I've found so far as a summary. It grew a little large lol (my apologies).

To get a short lived access token I usually follow these steps as described here.

• Go to https://developers.facebook.com/tools/explorer/ and select your app from the first drop down menu, in the left.
• Click on the button "Get access token", and in the "Select Permissions" window, click in "Extended Permissions" and check manage_pages and publish_stream, and click in "Get Access Token" blue button.
• You may be asked in this step to garant permissions to your app to access to your Facebook account, accept.
• Next, click at the end of the text field next to the "GET" drop down, and replace the numbers for: me/accounts, and click in the blue button next to this text field.
• You'll get the tokens for all your pages, including your app page. Find your page name in the list, will look like this: "name": "Your page name"
• When you located your page, copy the access token for the page (will be really long), that can look like this: "access_token": "XXXXXXXX". Also copy the id of the page: "id": "XXXXX".

Using

https://graph.facebook.com/oauth/access_token?
    client_id=[clientid]
    &client_secret=[clientsecret]
    &grant_type=fb_exchange_token
    &fb_exchange_token=[shortlivedaccesstoken]

Either in a browser or by curl request for example, I'm getting my 60 days long lived access token returned. (Source)

As the Facebook API documentation describes, long lived access tokens can not be refreshed. Of course I can refresh the token using above endpoint and get a new long lived token with the same expiry date returned.

EDIT: To create a post on the fanpage wall (as the page user) I'm doing sth. like this:

$this->fb = new Facebook(array(
    'appId' => [app-id],
    'secret' => [app-secret]
));

//~Get data from DB here~

//~some error handling in case data fetching failed~


$fbToken = '';
$fbToken = *[facebook access token]*;

$mediaData = array(
    'picture' => [picture-url],
    'message' => [message],
    'link' => [link],
    'name' => [name],
    'description' => [description],
    'access_token' => $fbToken
);

try {
    $post_id = $this->fb->api('/' . [fb-page-id] . '/feed', 'post', $mediaData);
} catch(FacebookApiException $e) {
    //log file output
}

Problem

---

You can only get a new long lived access token by using a short lived access token.
@maxim-aniskov describes a way to get a new short lived access token here. Running into the same problem, it works once at the first fetch. The accepted answer involves deletion of the current permissions.

Also, in this post it has been hinted in the comments that even a short lived access token cannot be refreshed without user interaction.

Finally as you can see there are many people running into the same fun here too.

Somewhere I've even read that an existing long lived access token can be refreshed but only if it's about-to-expire. There is no information in which timeframe 'about-to-expire' lies. (5 days ain't)

Ultimately none of them helped me any further.

Question

---

As a summary of the above mentioned~

How to get a new short lived access token with the previously used permissions (manage_pages and publish_stream) querying an API endpoint?

Is it really only possible by revoking a previously given access? The website I'm trying to refresh its access token for is about posting real time updates, so I'd like little to no downtime.. Instead of manually generating a new short lived token in the graph api explorer everytime the old token expired or is about-to-expire, I'd rather just press a single button to do that.

Answer 1

You are quite confused with the flow actually! Let me explain you how this access token thing works-

First of all, the getting the access token from Graph API Explorer is just a way- not really the best way of course. (but in your case it seems fine since I think you are managing the page from your account only not for the other facebook users- correct me if I am wrong).

Generally, facebook integration is used to get access for a facebook user and perform some activities or get the user's data, and it is done by implementing the facebook login. The facebook login takes in to account the permissions user has granted and returns an access token- that's the user access token

---

Now, if you want to post on behalf of the page itself, you have to use the page's access token (API- /me/accounts). Now, the good thing is- you can extend the page access token that's never expires! I've explained the steps here.

If you want to post on behalf of the user/admin, you use the user access token which can be extended by making a \GET request that you've explained that already. Now when you said-

I've even read that an existing long lived access token can be refreshed but only if it's about-to-expire. There is no information in which timeframe 'about-to-expire' lies. (5 days ain't)

This statement is incorrect! You can extend the token at any point. Today you have a token with 60days expiry, tomorrow it can be extended again with upto 60 days expiry. To refresh the extended token, you have to repeat the steps you used to generate the extended token for the first time i.e.- obtain an access token (the normal one) with the login flow or the graph api explorer(yes- there's NO other way to get the access token) and make the \GET request to obtain the extended one. This is it!

You asked-

How to get a new short lived access token with the previously used permissions (manage_pages and publish_stream) querying an API endpoint?

Dont worry about this, next time whenever you try to get the access token it will have the permissions with it since you have authorized the app already. You dont need to take care of anything for this!

Edit

If you dont want to use the Graph API Explorer, you can write a small script, using JS/PHP/other language and implement the facebook login- get the access token- and extend that token (oh wait! you didnt tell how are you creating the posts? You can do that with your script only- simple enough!). Good luck!