Facebook PHP SDK 4.0 : Getting Long Term Access Token

Question

I\'m trying to use the PHP sdk v4.0 to get a long term access token for PAGE management.

I\'m grabbing the access token from the user\'s login (Yes, I\'m grabbing the Pa

Answer 1

There a several types of access tokens you can use with calls to Graph. Knowing which access token to use can be tricky.

User Access Token

If you want to make changes to the page and post on the page wall as the admin user, you'll need to use that user's access token.

Login

You'll need to ask that user to log in with the manage_pages permission if you're planning on performing admin-specific actions on the page.

$helper = new FacebookRedirectLoginHelper($redirect_url);
echo 'Login';

Extending User Access Token

By default, you'll get a short-lived user access token from Facebook. I'm assuming you're using a database to store your access tokens. You'll need to exchange the short-lived user access token for a long-lived user access token and save the new token in the database.

$accessToken = $session->getAccessToken();
$longLivedAccessToken = $accessToken->extend();
echo (string) $longLivedAccessToken;

Using a code

If you're storing the long-lived user access token in the database, as a best practice, you should use the token to generate a code and then generate another long-lived access token. This way you're not using the same access token for all the requests on behalf of the user every time. This minimizes the chances of your app being flagged as spam.

use Facebook\Entities\AccessToken;

$longLivedAccessToken = new AccessToken('{long-lived-access-token}');
$code = AccessToken::getCodeFromAccessToken($longLivedAccessToken);
$newLongLivedAccessToken = AccessToken::getAccessTokenFromCode($code);

Page Access Tokens

If you want to post statues on the page and have the posts appear as if the page had posted the statuses you'll need to use a page access token.

Obtaining a page access token

Using a page admin's long-lived user access token, you can list the pages that that user administrates on the /me/accounts endpoint. You'll want to pull the access_token field which is the page access token. You can also pull the perms field to see which permissions the admin user has.

$request = new FacebookRequest($session, 'GET', '/me/accounts?fields=name,access_token,perms');
$pageList = $request->execute()->getGraphObject()->asArray();

Short-lived vs Long-lived page access tokens

If you use a short-lived user access token to obtain a page access token, the page access token will also be short-lived.

You could exchange the short-lived page access token with a long-lived page access token directly if you wanted to. This would give you a page access token that would last about 2 months.

$pageAccessToken = new AccessToken('{short-lived-page-access-token}');
$longLivedPageAccessToken = $pageAccessToken->extend();

However, if you use a long-lived user access token to obtain the page access token, the page access token will never expire.

Page access tokens "gotcha"

You can think of page access tokens as "sub access tokens" to the page admin user access token. This is an important concept because page access tokens are associated with the admin user you obtained the page access token from.

Since there are different page admin roles that a page admin can have, that will limit the scope of the page access token if the admin user isn't assigned the role that grants them a specific permission you need.