Facebook Oauth Access Token Different when using Graph API Explorer

10
votes

(Disclaimer: The access_tokens and appIds in this post are fake and are just intended to look real)

I'm trying to generate an access_token using the call to the following:

https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=123456789000000&client_secret=03252f2ff1eddffe234a0dc7256abb8c

That gives me an access_token in this format:

access_token=123456789000000|TR528Smvi4AXMM21Zhmi5XmJwmk

If I try to access a fan page that's protected with that token like this I get false back: http://graph.facebook.com/109813019043531?access_token=123456789000000|TR528Smvi4AXMM21Zhmi5XmJwmk

Now, if I use the Graph API Explorer and select the same App as the one I'm using above to generate the access token I get an access token that looks like this:

ABBDSqE43jFSSbrS7ujvyLZClfyKDCZBhAuLXTtr9nwelj4MFwlijzejljEoNItC3lijzm3shemzq3jDFCdAZD

If I use that access token to access the URL (http://graph.facebook.com/109813019043531) it works as expected.

My question is, what is the difference between the two and how can I programmatically generate one that works like the second token?

1
facebookfacebook-graph-apiaccess-token
Just a note - one should NEVER post application secrets or access tokens. With that information someone could impersonate you, your application or your page and perform some malicious actions. I have removed the sensitive data from your post. Please be aware of this in the future.Lix
I was already aware of that, and those aren't sensitive. I was just trying to accurately illustrate the format of tokens since that is relevant to my question. Those aren't real application secrets or access tokens. They're me randomly pushing the keys on my keyboard :-)gplocke
Looked real to me :$ hehe... I'll roll back the edit...Lix
Thanks! I added a disclaimer to make sure it's not misleading too.gplocke

1 Answers

13
votes

The first one you show is an APP access token. The second one from Graph API Explorer is a USER access token. There is a third type called PAGE access token. Each do something different.

APP access tokens are used to get information that your app is privileged to access. And in some cases where publish_stream is granted from an app user, you can use it to post to that user's wall, without needing a USER access token.

USER access tokens are given to your app and they relate to the permissions a specific app user has granted to your application so you app can act on their behalf.

PAGE access tokens are given to page admins so they can act on behalf of the page. To go from a user access token to a page access token, call /me/accounts using the user access token to get a list of pages they admin along with each pages access tokens.

If you have an access token and you want to know more information about it, lint it at https://developers.facebook.com/tools/lint

For more information on access tokens see: https://developers.facebook.com/docs/authentication