This is a follow up to my article about Access Tokens for Facebook. It is quite easy to generate an Extended Page Access Token with the PHP SDK, but being a big fan of the Facebook JavaScript SDK i try to avoid using the PHP SDK. So this is how you create an Extended Page Access Token with CURL only. Just in case you don´t know about those Tokens: They can be used to post to a Page (as the Page, not a User) or get the Page Insights – but the most important thing is that they don´t have an expiration date! You generate it once, store it in your database and use it forever.
First you have to authorize the user with the “manage_pages” permission:
FB.login(function (response) {
if (response.authResponse) {
//simple user access token
var accessToken = response.authResponse.accessToken,
ajaxRequest = new XMLHttpRequest(),
pageId = [YOUR-PAGE-ID];
ajaxRequest.onreadystatechange = function() {
if(ajaxRequest.readyState === 4) {
//print out the extended page access token
console.log(ajaxRequest.responseText);
}
};
ajaxRequest.open('POST','generatePageToken.php?pageId=' + pageId, true);
ajaxRequest.setRequestHeader('Content-type','application/x-www-form-urlencoded');
ajaxRequest.send('accessToken=' + accessToken);
}
}, {scope: 'manage_pages'});
Notes about the JavaScript Code:
- Of course you need to include the JavaScript SDK correctly, as explained on Facebook: Facebook JavaScript SDK Quickstart.
- Feel free to put the AJAX Request in a function and add some fancy callbacks or Promises if you feel like a pro. I´ve only included it in the login callback for the sake of simplicity. I am also using my own AJAX call instead of the easy jQuery solution, because i am a big fan of Vanilla JavaScript :).
- If you want to release your App to other users so they can manage their own Facebook Pages, use /me/accounts to get their Pages, let them select one and use my code with the selected ID.
Alright, it is time for the PHP code now, it´s pretty straightforward:
<?php
$accessToken = $_POST['accessToken'];
$pageId = $_GET['pageId'];
$fbAppId = 'xxx';
$fbAppSecret = 'xxx';
$appsecretProof = hash_hmac('sha256', $accessToken, $fbAppSecret);
//init curl
$ch = curl_init();
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, 'facebook-php-3.2');
//get extended user access token
$url = 'https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token' .
'&client_id=' . $fbAppId .
'&client_secret=' . $fbAppSecret .
'&fb_exchange_token=' . $accessToken .
'&appsecret_proof=' . $appsecretProof;
curl_setopt($ch, CURLOPT_URL, $url);
$curlResult = curl_exec($ch);
$response_params = array();
parse_str($curlResult, $response_params);
$extendedUserToken = $response_params['access_token'];
$appsecretProof = hash_hmac('sha256', $extendedUserToken, $fbAppSecret);
//get extended page access token
$url = 'https://graph.facebook.com/' . $pageId .
'?fields=access_token' .
'&access_token=' . $extendedUserToken .
'&appsecret_proof=' . $appsecretProof;
curl_setopt($ch, CURLOPT_URL, $url);
$curlResult = curl_exec($ch);
curl_close($ch);
$pageToken = json_decode($curlResult)->access_token;
echo $pageToken;
The script takes the Page ID and the Access Token you got through the JavaScript SDK login process.
I am using the same parameters for CURL as the PHP SDK, but this should stay the same even if they update the PHP SDK – which is the beauty of the JavaScript SDK, you don´t have to update on your own as it gets loaded from the Facebook servers. Also, you don´t need to redirect the user to an authorization page for login. +1 for usability 🙂
You may wonder about the appsecrect_proof parameter: That one is very important to secure your Graph API calls in case someone gets access to your precious Access Token. You can read more about it here: Securing Graph API Requests
Anyway, this should be future-proof…unless Facebook changes it.
Tip: Make sure to only use the Extended Page Token on the server for security reasons!
(Open Graph picture by oskay/everystockphoto)
Thank you Sir.
I’ve been trying since 2 weeks. You helped me so much, i can’t be thankful enough!
how can i know my pageid ?
just replace “www” with “graph” in the browser when you access your page: graph.facebook.com/your-url – you will some basic info about your page and the id.
nice replies.. i had tried.. the result page id is same like my url. like that ?
well, if you did not set a vanity url, then the ID is already in the url, yes.
Hello! I would like to know if this is still working. Also, I’ve been having trouble implementing the PHP part. My website runs on Django and I don’t know how to run the PHP code. Should I add it to a .html file under the JavaScript?
Thanks in advance 🙂
the code should still work, yes. Django is Python, so you either need to run a PHP server or you could reprogram it with Python. For example: http://stackoverflow.com/questions/2667509/curl-alternative-in-python
Should i have one page for the js and another for the php?
really struggling to get this to work
that´s up to you, but i prefer to separate frontend and backend code – i am usually using html files with js, and php only for interfaces to a database (or the file system). i am more into node.js right now though.
This code is not working anymore. I have used it in one of the applications. But not the access token that I used to get as permanent access token shows error(“type”:”OAuthException”,”code”:190,”error_subcode”:463)