Vernieuw Access Token [Facebook SDK PHP]

Expiration and Extending Tokens

Facebook's official SDKs manage the lifetime of tokens for you. When using iOS, Android or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire. For example, access tokens on the web often have a lifetime of about two hours, but will automatically be refreshed when required.

But if you want to use access tokens for longer-lived apps, especially server side, you need to generate a long-lived token. You get a long-lived access token by making a call to this endpoint:

1
2
3
4
5

GET /oauth/access_token?  
    grant_type=fb_exchange_token&           
    client_id={app-id}&
    client_secret={app-secret}&
    fb_exchange_token={short-lived-token}

Note that the app secret is included in this API call, so you should never actually make the request client-side; instead implement some server-side code that makes the request, then pass the response containing the long-lived token back to your client-side code. This will be a different string to the original token, so if you're storing these tokens, replace the old one.

Apps are unable to exchange an expired short-lived token for a long-lived token. The flow above only works with short-lived tokens that are still valid. Once they expire, your app must send the user through the login flow again.

Refreshing Long-Lived Tokens

Even the long-lived access token will eventually expire. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.

After doing the above you will obtain a new short-lived token and then you need to perform the same exchange for a long-lived token as above.

In some cases, this newer long-lived token might be identical to the previous one, but we can't guarantee it and your app shouldn't depend upon it.

Extending Page Access Tokens

Apps can retrieve a Page access token from Page admin users when they authenticate with the manage_pages permission. If the user access token used to retrieve this Page access token is short-lived, the Page access token will also be short-lived.

To get a longer-lived Page access token, exchange the User access token for a long-lived one, as above, and then request the Page token. The resulting Page access token will not have any expiry time.