Long-lasting FB access-token for server to pull FB page info

An approach that works in 2019

I was recently trying to achieve something similar (to the use case described in this thread), but I wanted to make sure to respect Facebook's current policies, so I did a little research and here I'm sharing what I found.

My use case

So, as I said already, my use case is very similar to the one described here; that is:

• I'm doing some work for a school district.
• They are using a software tool to manage pretty much everything that relates to school transportation.
• That tool allows them to send email notifications (to subscribers) when they publish bus delay alerts and school closure alerts.
• A lot of people in the community follow the organization on their Facebook page, and that's the only place they look for those alerts.
• So an employee of the organization has to manually publish each notification on the Facebook page (in addition to creating it in the transportation software). Moreover, those notifications eventually expire (or are simply deleted before they expire), so the employee has to go back later on to delete them manually as well.
• It's a waist of time, so what we are trying to do here is to develop as simple system that periodically polls the software tool's database for new (and expired) notifications and update them (i.e. add and remove) on the Facebook page.

This is, in my view, a legitimate use case, but I wasn't sure how to implement it in a way that's in line with Facebook's policies.

The accepted answer

I followed the steps of the accepted answer and it worked, except that things appear to have changed: now, even though the generated page token does not expire, access to data does expire after around 60 days. You will see that as well if you follow the procedure and inspect the page token in the FB Token Debugger Tool.

Besides, the fact that the generated page tokens are tied to the user account is also unfortunate, because if the user updates his/her password, then the page token also gets invalidated.

How to do it in 2019

After several hours of research, I stumbled upon the following Facebook documentation article: Business Login for Direct Businesses.

It turns out that it is now possible, following the steps described in the above article, to generate a page token that is not associated to any particular Facebook user account and which will not expire (unless the FB App gets deleted or the underlying application token gets deleted, you know...)

So here are the steps and the most important parts:

• You need a Business Manager account.
  • Verification will be required and a digital contract will have to be signed.
• You need to add the target Facebook page to that account.
• You need to create a Facebook App, and transfer that app to the same Business Manager account as well.
• The app will have to go through Facebook's review process, because the following permissions will be needed: manage_pages and publish_pages.
  • Important note For the posts made using the generate page token to be visible to users other than the application administrators, that app will need to have been published and approved.
  • You may still experiment with the concept without submitting for review, but the posts won't be publicly visible.
• In the Business Manager account (only after your app and page have been added to the account), you need to create what's called a System User, and give that user admin role (or permissions) to the target Facebook page.
  • A system user is owned by the Business Manager account, and isn't tied to a specific user. My current understanding is that one major use case for a system user is programmatic access to Facebook's Graph API (just what we need).
• Then, for that system user, you need to generate a access token (which will be never-expiring). You will be prompted to select for which app. You will then select your target app.
• You will then need to use the generated app token to generate a page token, which will also be never-expiring. The procedure is described in this article as:

GET /<PAGE_ID>?fields=access_token&access_token=<SYSTEM_USER_ACCESS_TOKEN>

• That's it.

That token will never expire, and it won't be tied to a particular Facebook user, so it's exactly what we need!

The last part is to make sure that your Facebook app gets approved by Facebook. It's in fact the most important part, because the whole procedure is worthless if people don't see our posts.

I wanted to know for sure that I could rely on the above procedure to build something for my client without Facebook rejecting it in the end, so, beforehand (i.e. before starting to work on my client's project), I went through the whole process of creating a page, an app, a Business Manager account, etc. I verified my business. I submitted my app for review. In my request, I was very specific about my use case and emphasized that the app was for "self-use" (i.e. that the organization is developing an app for itself, not for other Facebook users). I got approved without less than 24 hours.

A few other notes about the app review process:

• I had to select a platform for the app, so I selected website.
• I had to indicate why the app needed the two permissions and how it was going to use them.
• I had to indicate why the reviewer would not be able to sign into my app and try it (i.e. because the app will be used by a worker process).
• For the mandatory screencasts, I simply presented manual operations in the terminal using the curl utility (to generate the page token and make posts to the Facebook page). I also showed how I was using Business Manager to link the system user to the page and generate a token, and so on.
• Again, I was very specific about my use case, and I think that that helped.

I hope this information will be useful to people with similar use cases.

Many thanks to @redhotvengeance for step-by-step guide.

After some time, now there is clearly described in Facebook documentation:

https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension

Extending Page Access Tokens

Apps can retrieve a page access token from Page admin users when they authenticate with the manage_pages permission. If the user access token used to retrieve this page access token is short-lived, the page access token will also be short-lived.

To get a longer-lived page access token, exchange the User access token for a long-lived one, as above, and then request the Page access token. The resulting page access token will not have any expiry time.

This is covered in the Offline Access deprecation document

Use the 60-day token for the page admin to retrieve a Page Access Token (via /PAGE_ID?fields=access_token or /me/accounts) - the Page access token will not have an expiry time

These are the steps that were previously in the question - they have been migrated to this answer.

Having found that it is possible to generate a Facebook Page Access Token that does not expire (with help from @Igy), here is a clear, step-by-step quide for all those looking to the same:

1. Make sure you are the admin of the FB page you wish to pull info from
2. Create a FB App (should be with the same user account that is the page admin)
3. Head over to the Facebook Graph API Explorer
4. On the top right, select the FB App you created from the "Application" drop down list
5. Click "Get Access Token"
6. Make sure you add the manage_pages permission
7. Convert this short-lived access token into a long-lived one by making this Graph API call: https://graph.facebook.com/oauth/access_token?client_id=<your FB App ID >&client_secret=<your FB App secret>&grant_type=fb_exchange_token&fb_exchange_token=<your short-lived access token>
8. Grab the new long-lived access token returned back
9. Make a Graph API call to see your accounts using the new long-lived access token: https://graph.facebook.com/me/accounts?access_token=<your long-lived access token>
10. Grab the access_token for the page you'll be pulling info from
11. Lint the token to see that it is set to Expires: Never!

That should do it. You should now have a Facebook Page Access Token that doesn't expire, unless:

• You change your Facebook account password
• You lose admin access for the target page
• You delete or de-authorize your Facebook App

Any of these will cause the access token to become invalid.

If you are getting (#100) Tried accessing nonexisting field (accounts) on node type (Page), go to the Access Token Debugger, copy the value of User ID, and use it to replace the "me" part of the URL in step 9.