I need to access Facebook API to retrieve ads stats. All my requests will be handled on server side. I already know how to access those data by obtaining User Access Token with ads_read permission, where user has admin role in the ad account.
My application will use cron jobs to retrieve ads stats, so I would like to use App Access Token instead, because user won't need to authenticate with the dialog, right? I assigned application to the business, but it doesn't seem to work. After trying to get ads stats with App Access Token, I'm getting following error:
{
"error": {
"message": "The entity backed by id 1234567890123 cannot be seen
by the viewer with (ViewerID 0, AccountID 0):
DENY_RULE:InlinePrivacyPolicy:AlwaysDenyRule:4
(EntID: 1234567890123)",
"type": "OAuthException",
"code": 1
}
}
The application is assigned to the business, but I'm not sure if it's enough. I don't see any option to assign it to the ads account.
Am I doing it right or maybe there's another way to skip dialog part?
No, you need to use a user access token from a user who manages the ad account.
App access tokens are only useful for a narrow range of use cases, primarily for updating app settings or proving a call came from the app specifically, rather than an arbitrary user of the app
Related
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
Our Facebook app is linked to a Business Manager account. We have created a system user for managing all our campaigns. We are in the process of automating permission requests for those pages we don't own, so that we can create ads on their behalf. (This would be the use case, if I'm not mistaken.)
For this we're using the <business id>/pages edge, POSTing a request with the target page ID, access type and permitted roles. Playing around with Graph Explorer, we seem to be able to do this when using a user access token, but not when using the system user's one.
Is this on purpose or are we just missing something?
EDIT
For clarification, this is the success response we get when using a regular user token:
{"access_status": "PENDING"}
Whereas this is the error we receive when using the system user's token:
{
"error": {
"message": "You do not have permission to request access to the given object.",
"type": "OAuthException",
"code": 3988,
"error_subcode": 1690095,
"is_transient": false,
"error_user_title": "Invalid Permissions For Page Access Request",
"error_user_msg": "Your business isn't allowed to request access to this Page. Please ask the Page owner to grant you access or contact our support team."
}
}
Solved it. There are two types of system users: system users and admin system users. An admin system user is required for this operation, using a system user will fail with the error described above.
I am using Facebook Ad Api to create ads. How ever when i grant a user Administrator Role (1001) with the following api call:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users?role=1001&uid=xxxxx
it successfully creates the user, and when i get all the users using the following request:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users
it successfully returns the array as:
"{"data":[{"name":"firstname lastname","permissions":[1,2,3,4,5,7],"role":1001,"id":"101xxxxxxxxxx352"}}"
but when i try to create an Ad campaign or Adset with the newly added user the following exception is thrown:
[FacebookAds\Http\Exception\AuthorizationException]
(#272) This Ads API call requires the user to be admin of the application. User 16xxxxx351 not admin or developer for application 109xxxxxxxx0403.
And when i go to my app and assign the user with an Administrator or Developer Role, I can make requests successfully.
Why is facebook not allowing a user created with administrator role from the api not make api calls to its Ad Api ? And why does it allow when the user is granted Administrator/Developer role make requests ?
This is because the objects you can promote are not based upon an adaccount but are based upon your user.
You can see the connection objects a user has access to by make the following request:
<API_VERSION>/act_<AD_ACCOUNT_ID>/connectionobjects?access_token=<ACCESS_TOKEN>
The documentation states:
this call returns the IDs of all objects for which the current session
user is an administrator, and the IDs of apps for which the user is
listed as a developer or advertiser.
If you don't want to make additional administrators for your app, you can create system user in Facebook Business Manager, grant him administrator (or even advertiser) rights for Ad Account.
https://developers.facebook.com/docs/marketing-api/business-manager-api
And use his token to manage ads. In my case I used it to retrieve targeting of ads, to find where leads came to lead form from.
https://www.facebook.com/marketingdevelopers/videos/vb.606699326111137/883648801749520/
I can successfully pull statistics from the FB API using the temporary access token, however I followed the instructions to generate a token that never expires from this thread.
Long-lasting FB access-token for server to pull FB page info
It does indeed work. But then when trying to using this Page token I get the following error:
Fatal error: Uncaught exception 'FacebookAds\Http\Exception\AuthorizationException' with message '(#272) This Ads API call requires the user to be admin of the application. User XXXXXX not admin or developer for application XXXXXXX.' in
C:\www\projects\dashboard2014\vendor\facebook\php-ads-sdk\src\FacebookAds\Http\Exception\RequestException.php on line 129
However the user is an Admin of the application! I can see it in the application settings. Also I can see the token has the following permissions:
"perms": [
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
In the App settings I also put the Ad account ID in the "Authorized Ad Account IDs" field and this doesn't work still.
If I use the temporary access token from the Graph API Explorer then I am able to pull in data from any campaign in the ad account with no problem, the problems seems to be that this is a Page access token, so there's a slight difference somewhere but I can't seem to work it out?
I don't mind having a different long life access token for every Page rather than just one for the whole account however it's not working. Thanks
I'm just starting to create a in-facebook app. I'm bugging at the first step, when a user access my app for the first time. Basically, I want a welcome page to explain what is that app before requesting an access to information. A cute image with cats, whatever, but not sending directly the user to the login to my app dialog.
So, user didn't sign in to my app, I only have the "app access token" to work with the graph. According to this official Facebook dev page (at the end), I'm supposed to have some basic information access.
Question is : how ? What are the calls that I can make to the graph with an app access token ?
/me is a no go, it requires a user access token.
/$user_id is public information, with or without a token, I can retrieve basic info. But I don't have any user_id to use through the $signedRequest (which gives only country,locale & age)
How am I to get (quote):
- Basic Profile Info of a User (ID, Name, Username, Gender)
- A User’s Friends and their IDs
- Permissions granted by the User to your App
You shouldn't be using your application token for anything other than administration of your app.
It's not possible to get data before a user actually grants it.
The paragraph you mentioned is within the limits of your application
While an App Access Token is largely for the purposes of publishing
information back to Facebook on behalf of the user, there is a limited
set of information that can be retrieved from Facebook using an App
Access Token.
Basic Profile Info of a User (ID, Name, Username, Gender)
A User’s Friends and their IDs
Permissions granted by the User to your App
Say I know User001 added my app, and I want to check on some items for administration. I don't have User001's access token (or rather I shouldn't be manually using it) So instead I supply the application access token to get data that would normally return
Notice I can supply an app token allowing me to see friends (of the user who added the app) but if I choose an object not mentioned in those bullet points...
Basic Profile Info of a User (ID, Name, Username, Gender):
Yes. https://graph.facebook.com/USER_ID?fields=id,name,%20username,%20gender&access_token=APP_ACCESS_TOKEN
A User’s Friends and their IDs
If you request https://graph.facebook.com/USER_ID/friends?access_token=APP_ACCESS_TOKEN, you would get:
{ "error": {
"message": "Can't lookup all friends of 100001234567. Can only lookup for the logged in user or the logged in user's friends that are
users of your app.",
"type": "NoIndexFunctionException",
"code": 604 } }
The answer for legal solution is, NO, you must use user access token.
Similar disscussion here Get the Friends of my friend using the Graph API
Permissions granted by the User to your App
Yes. https://graph.facebook.com/USER_ID/permissions?access_token=APP_ACCESS_TOKEN