I would like to show the posts from my Facebook page in another website using Graph API:
https://graph.facebook.com/[pageID]/feed?access_token=[accesstoken]
My question is, which access token should I use?
I have tried using my App Token, but I feel like I should be using other access tokens, how would I be able to obtain another Access Token?
Depending on your use case there a three different options when it comes to the question of which access_token to use:
Use any sort of access_token to get all posts that are public
Use an user access_token to get all posts visible to the user the token belongs to
Use a page access_token to get all posts
As far as I understand you, you want to get all posts from your page, regardless of any restrictions that may apply to a user that is viewing the feed (example: age restrictions, country restrictions). In that case use the page access_token for the page you want to get the feed from.
You can get the page token by calling /me/accounts [1], look for the page object and get the access_token for that page.
You can also read about it in the Graph API documentation [2] for pages.
[1] https://developers.facebook.com/tools/explorer/?method=GET&path=me%2Faccounts&version=v2.0
[2] https://developers.facebook.com/docs/graph-api/reference/v2.0/page/feed#read
Related
We are having a facebook App we have detected some abusive users so we want to stop them from logging into our app, Any thoughts? There are examples given but Fb docs say those api's are deprecated now
You could just detect them on your own and set a flag in your database. They will still be able to use Facebook Login, but they will not be able to do anything in your App if they are flagged.
Either way, i did some Google research and found out that it may be possible with a simple POST (or DELETE) request to the /app-id/banned endpoint:
BAN
https://graph.facebook.com/{app-id}/banned
POST parameters:
access_token (A simple App Access Token)
uid (comma separated list of user IDs)
UNBAN
https://graph.facebook.com/{app-id}/banned/{user-id}
DELETE request, only access_token as parameter
It is not really documented though, but easy to test.
I have read almost all the graph API and i don't get this thing at all .
I am some user, who needs to get some other public page photos . thats it,very simple.
So to do that, i can just :
https://graph.facebook.com/page id/photos/uploaded/
Which is works great. gives a json with the photos .
BUT ,Facebook is always talks about this tokens everywhere. you need a token to everything .
So after so much frustration i have got this token i created to some app i made.
Problem is, what i do with this token ?? i don't see any place in the API where i put this token in the http request .
Take this request i showed here for example, it works for any page without a token. so where goes the token? why do i need it ?
Why when talking about getting images of some page they always say you must be the admin of that page? NO I DONT want to be the admin of a page, i just want to get photos of other page, that i don't own, with a simple http request.
Everything is messed up for me .
You can apply an access_token to any Graph API request by appending ?access_token=xxx to the URL. In your example, the resulting URL would be:
https://graph.facebook.com/page id/photos?access_token=xxx
The access_token is typically used to access any data that isn't public. While its true that you don't need an access_token or be an Admin of a page to get Photos, you may still need an access_token to access pages with location or age restrictions.
For example, I can easily get public photos from the Coca Cola page:
https://graph.facebook.com/cocacola/photos
But not for this protected page (since you must be 18+ to access this page):
https://graph.facebook.com/Betfair/photos
Reading the API docs (https://developers.facebook.com/docs/reference/api/page/) I assumed that in order to read a public pages status updates, I would require "any valid access_token or user access_token" (quoting the docs here).
However, if I try to get the status updates for the public page, using my app access token, I receive the following response: "A user access token is required to request this resource"
GET 20531316728/statuses?access_token=myappaccesstoken
So, my question is if the docs are just plain wrong, I'm doing something wrong or whatever?
There is a clarification that needs to occur by Facebook [1]. The docs are either outdated or Facebook has changed their mind on handling these updates which is interesting seeing that
GET /PAGE_ID/feed?access_token=myappaccesstoken
Works (and holds all the statuses). I was told by someone in IRC #facebook that maybe the statuses call is more expensive (Not too bought on this idea).
My current stance is that either
any valid access_token or user access_token was supposed to imply those excluding app tokens
Facebook realizes that one can bypass the OAuth Flow by using an app token on pages when Facebook desired some form of authentication.
In the end, these are all assumptions.
I haven't been able to get a clear answer out of any Facebook employee as to whether this is indeed a bug or an intentional removal of this feature.
[1] - http://developers.facebook.com/bugs/480742545315442
Beginner here, and I've been getting lost in the Facebook developer docs and Google for hours. I'm sure this is a simple question, but I just need some direction.
What I'm trying to do: query latest post of a page owner from a public Facebook page with JavaScript and parse it to display within my own HTML (can't use a Social Plugin - I need custom control over HTML/CSS).
What I've got working so far:
var token = '<my_token>';
var query = 'fields=posts.limit(1)';
var request = 'https://graph.facebook.com/[mypage]?' + query + '&access_token=' + token;
$.getJSON(request, function(response) {
alert(response.posts.data[0].message);
});
This does work, however, the Access Token debugger says my access_token is going to expire in 2 months. Why? It's a public Facebook page, and I only want to query the page owner's latest comment. Do I really need to create a Facebook App and login via PHP to just to access this public information?
I'm doing the exact same thing with a Twitter feed and all I had to do was $.getJSON http://api.twitter.com/1/statuses/user_timeline/.json, completely in JavaScript.
It seems getting similar information from Facebook is much more difficult, but perhaps I'm going about it the wrong way?
This does work, however, the Access Token debugger says my access_token is going to expire in 2 months. Why?
Because that’s what user access tokens do.
Do I really need to create a Facebook App and login via PHP to just to access this public information?
For pages that are restricted in any way (based on age, country or for alcohol related content) you have to use a user access token, because that’s the only way Facebook can figure out whether you’re actually allowed to see the content or not.
If it’s your own page, then you could generate a page access token – those don’t expire by default, if you use a long-lived user access token to get them.
But you don’t want to expose that kind of token in client-side JavaScript, because everyone visiting your site could steal it from there and act on behalf of your page then.
I'm playing around with Facebook Connect, trying to use Facebook as the means or authentication on my site. Currently my workflow looks something like this:
Go to URL
Server checks cookies for AccessToken
If AccessToken exists, automatically fill in user's name/profile picture in comment box, and leave AccessToken in hidden input
send page down to client
on submit, verify access token (which was submitted with the rest of the form) is a valid access token for a real person. If so, add comment to Database
refresh page to display new data
if no access token, replace user's name/profile picture with <fb:login-button>, along with the required <script>s.
send page down to client
When user authorizes page/logs into facebook, refresh page
(go back to top, except this time the access token should exist)
So I have a few questions:
Is this secure? I was thinking of ways i would be able to do without the double authentication with Facebook (checking once on page-generation and checking again on comment-submission), and I could not figure any other way short of maintaining my own session-state with each client. Is that worth doing?
Does the access token expire when i log out of Facebook? I'm thinking it should, but it seems I can continue to use the same access token to grab data (i.e. name, url, etc.) after I manually go to Facebook and log myself out. Is it because I'm only asking for public information, and only more intrusive permissions expire on logout?
Given that each person who wants to do something has to provide a unique token from Facebook, this should have the side effect of blocking CSRF, since every action can be traced to a valid Facebook account. Is that right?
Why don't you just use the Facebook Javascript SDK to detect if they're currently logged into Facebook? This will also make the access token available in Javascript so you can make client-side calls to the API.
You can access the same access token server side via the session cookie set by Facebook also.
I can't answer all of your questions but I can tell you that having the access token in a hidden field on your page is risky from a policy perspective, especially if your page can be read by any third-party code such as Google Analytics or AdSense. Facebook will nail you for this as it is leaking user identifying data to third parties. The Facebook userid is in the access token in plain text. Facebook has automated processes that scan for this stuff and will auto-ban your app if it is leaking userids to third parties.