Facebook long-lived and short-lived access tokens, and their expirancy after offline_access removal
The access token your app gets for a Client-Side authentication is short lived (about 2 hours), but you can extend it and get a long lived token using the new endpoint with a valid access token. In the Handling Invalid/Expired Access Tokens it says under Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK:
Calling FB.getLoginStatus() or ensuring status: true is set when you call FB.init() means that the next time a user lands on your application and is signed into Facebook, the authResponse object you are passed as a result of those calls will contain a fresh, valid access token.
In this case, its simply the act of the user using your application which implicitly generates a new access token.
If you use the Server-Side authentication flow then you will automatically get a long lived token (about 60 days) automatically. When that expires you have to send the user to re-authenticate in the same flow (code exchanging).
You can of course use both methods and that way you can get a long lived token in the server and a short lived token in the client.
Related videos on Youtube
Jian Liu
Updated on June 04, 2022Comments
-
Jian Liu almost 2 years
While reading Facebook's post regarding offline_access permission removal, I was thoroughly confused by their reference to short-lived and long-lived access tokens.
This page mentioned
The duration for which a given access token is valid depends on how it was generated
But I failed to find any further information.
Anyone has insights on how this determination process works in detail?
-
Igy about 12 yearsWhich scenario are you using in your app? i think all but the weirdest edge cases are covered in that doc
-
-
Jian Liu about 12 yearsAny pointers under the following contexts? Authentication in native Android apps Authentication in native iOS apps Authentication within a Page Tab on www.facebook.com Authentication within a Canvas Page on apps.facebook.com
-
Nitzan Tomer about 12 yearsThe Handling Invalid and Expired Access Tokens guide talks about all of that. Inside a page tab you can use the js sdk which makes it the same, in this context, as canvas app.
-
Jian Liu about 12 yearsThanks Nitzan. From your answer can I assume Android/iOs/Server-flow receives a long-lived token (60days), Client-flow/Page-tab/Canvas receives a short-lived token (few hours)?
-
Nitzan Tomer about 12 yearsI'm not sure at all regarding the ios/android, I haven't checked but I think that it's a short lived since there's an "extending the token" option.