Both Graph API and Marketing API calls require an access token to be passed as a parameter in each API call. In this guide, we teach you how to get access tokens for testing purposes.
To learn more about authentication, see our main documentation:
To get more information in the token you just generated, click on the i button shown before the token. After the click, a pop-up screen opens and displays some basic information about the token. Click on Open in Access Token Tool to be redirected to the Access Token Debugger.
You can also directly access the Access Token Debugger and paste the token you generated in the text box.
While debugging, check:
If the user clicks the Allow button when you prompt for the extended permissions, the user is redirected to a URL that contains the value of the
redirect_uri parameter and an authorization code:
Build a URL that includes the endpoint for getting a token, your app ID, your site URL, your app secret, and the authorization code you just received. The URL will be similar to the following:
https://graph.facebook.com/<API_VERSION>/oauth/access_token? client_id=<YOUR_APP_ID> &redirect_uri=<YOUR_URL> &client_secret=<YOUR_APP_SECRET> &code=<AUTHORIZATION_CODE>
The response should contain the access token for the user:
The token should be stored in your database for subsequent API calls. You should regularly check for validity of the token, and if necessary prompt the user for permission. Even a persistent token can become invalid in a few cases including the following:
As access tokens can be invalidated or revoked anytime, your app should expect to have a flow to re-request permission from the user. When a user starts your web app, check the validity of the token you have for that user. If necessary, send them through the authentication flow to get an updated token.
If this is not possible for your app, you may need a different way to prompt the user. This can happen in cases where the API calls are not directly triggered by a user interface, or are made by periodically run scripts. A possible solutions is to send users an email with instructions.