Extended Page Access Tokens with CURL

This is a follow up to my article about Access Tokens for Facebook. It is quite easy to generate an Extended Page Access Token with the PHP SDK, but being a big fan of the Facebook JavaScript SDK i try to avoid using the PHP SDK. So this is how you create an Extended Page Access Token with CURL only. Just in case you don´t know about those Tokens: They can be used to post to a Page (as the Page, not a User) or get the Page Insights – but the most important thing is that they don´t have an expiration date! You generate it once, store it in your database and use it forever.

First you have to authorize the user with the “manage_pages” permission:

FB.login(function (response) {
    if (response.authResponse) {
        //simple user access token
        var accessToken = response.authResponse.accessToken,
            ajaxRequest = new XMLHttpRequest(),
            pageId = [YOUR-PAGE-ID];
        ajaxRequest.onreadystatechange = function() {
            if(ajaxRequest.readyState === 4) {
                //print out the extended page access token
        ajaxRequest.open('POST','generatePageToken.php?pageId=' + pageId, true);
        ajaxRequest.send('accessToken=' + accessToken);
}, {scope: 'manage_pages'});

Notes about the JavaScript Code:

  • Of course you need to include the JavaScript SDK correctly, as explained on Facebook: Facebook JavaScript SDK Quickstart.
  • Feel free to put the AJAX Request in a function and add some fancy callbacks or Promises if you feel like a pro. I´ve only included it in the login callback for the sake of simplicity. I am also using my own AJAX call instead of the easy jQuery solution, because i am a big fan of Vanilla JavaScript :).
  • If you want to release your App to other users so they can manage their own Facebook Pages, use /me/accounts to get their Pages, let them select one and use my code with the selected ID.

Alright, it is time for the PHP code now, it´s pretty straightforward:

$accessToken = $_POST['accessToken'];
$pageId = $_GET['pageId'];
$fbAppId = 'xxx';
$fbAppSecret = 'xxx';

$appsecretProof = hash_hmac('sha256', $accessToken, $fbAppSecret);
//init curl
$ch = curl_init();
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_USERAGENT, 'facebook-php-3.2');

//get extended user access token
$url = 'https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token' .
    '&client_id=' . $fbAppId .
    '&client_secret=' . $fbAppSecret .
    '&fb_exchange_token=' . $accessToken .
    '&appsecret_proof=' . $appsecretProof;
curl_setopt($ch, CURLOPT_URL, $url);
$curlResult = curl_exec($ch);
$response_params = array();
parse_str($curlResult, $response_params);
$extendedUserToken = $response_params['access_token'];

$appsecretProof = hash_hmac('sha256', $extendedUserToken, $fbAppSecret);
//get extended page access token
$url = 'https://graph.facebook.com/' . $pageId .
    '?fields=access_token' .
    '&access_token=' . $extendedUserToken .
    '&appsecret_proof=' . $appsecretProof;
curl_setopt($ch, CURLOPT_URL, $url);
$curlResult = curl_exec($ch);
$pageToken = json_decode($curlResult)->access_token;

echo $pageToken;

The script takes the Page ID and the Access Token you got through the JavaScript SDK login process.

I am using the same parameters for CURL as the PHP SDK, but this should stay the same even if they update the PHP SDK – which is the beauty of the JavaScript SDK, you don´t have to update on your own as it gets loaded from the Facebook servers. Also, you don´t need to redirect the user to an authorization page for login. +1 for usability 🙂

You may wonder about the appsecrect_proof parameter: That one is very important to secure your Graph API calls in case someone gets access to your precious Access Token. You can read more about it here: Securing Graph API Requests

Anyway, this should be future-proof…unless Facebook changes it.

Tip: Make sure to only use the Extended Page Token on the server for security reasons!

(Open Graph picture by oskay/everystockphoto)

10 thoughts on “Extended Page Access Tokens with CURL”

  1. Hello! I would like to know if this is still working. Also, I’ve been having trouble implementing the PHP part. My website runs on Django and I don’t know how to run the PHP code. Should I add it to a .html file under the JavaScript?

    Thanks in advance 🙂

  2. Should i have one page for the js and another for the php?
    really struggling to get this to work

    1. that´s up to you, but i prefer to separate frontend and backend code – i am usually using html files with js, and php only for interfaces to a database (or the file system). i am more into node.js right now though.

  3. Saili Jaguste

    This code is not working anymore. I have used it in one of the applications. But not the access token that I used to get as permanent access token shows error(“type”:”OAuthException”,”code”:190,”error_subcode”:463)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.