LearnChanges to Facebook API: Access Tokens and offline_access

Randy Hoyt
writes on October 3, 2012

Share with your friends


Today, Facebook is removing the offline_access permission from their API and changing how access tokens expire. You previously could give a Facebook app permission to do things like post to your timeline indefinitely, but now permissions like these expire after sixty days. This is a significant change for third-party tools that interact with Facebook. Let’s take a look at these changes and discuss what you’ll need to do to deal with them.

What’s Changed

Let’s look at Facebook’s own WordPress plugin that integrates WordPress websites with Facebook. This plugin can (among other things) automatically post a link to your timeline whenever you publish a blog post. To set this up, you create your own app on Facebook and grant it permission to publish to your timeline.

Screenshot: Granting Permissions to a Facebook App

This creates an access token that the WordPress plugin will use every time it interacts with Facebook. This access token is a very long string (116 characters). You can view information about a particular access token by using the Facebook Debugger.

Screenshot: Facebook Debugger

Two things are new with today’s Facebook changes:

  • The Expires value is now only 60 days. Users previously could grant an app permission that never expired, but they can no longer do this.
  • The Scopes no longer contains an offline_access permission. (All tokens now contain this permission implicitly, at least until they expire.)

With the WordPress plugin connected to my app, I can start writing blog posts in WordPress. The plugin will publish links to them on Facebook without any trouble — at least for the next 60 days, until the access token expires.

Here’s the problem: imagine that (as the expiration time approaches) I schedule out blog posts for a two week period and then go on vacation. Unfortunately, the access token could expire while I’m on vacation and the plugin will be unable to share links to my blog posts on Facebook until I get back and re-authenticate.

What You’ll Need To Do

These changes affect both developers and users of third-party tools that interact with the Facebook API. Here are two recommendations for dealing with these changes, based on my experience so far working with different projects affected by them.


I recommend updating your access tokens every month. Set a recurring item on your calendar or task list, and make it a part of your regular routine. The exact steps to do this will depend on your tool, of course, but one of these should work:

  • Third-party tools typically provide an interface for getting access tokens — at least initially. You’ll typically need to visit a settings screen within the third-party tool and click a button to get a new access token, though it may be more complicated than that. If it’s not clear how to do it, you’ll need to get in touch with the developer(s) about it.
  • If you have written your own code to interact with the Facebook API, you’ll usually have specified your access token. I have put together a simple bookmarklet you can use to get an access token that is valid for sixty days: Facebook Access Token Bookmarklet.

One project affected by these changes is a network of shopping center websites I helped develop; each website displays a list of recent Facebook and Twitter updates from all the stores in the shopping center. (Here’s one example site: Alexandria Mall.) The code uses an app to interact with the Facebook API, and the access token in that code now needs to be updated on a regular basis.


With the loss of the offline_access permission, you’ll need to think about your users’ experience with your tool from a new perspective. Keep track of when the access token was created and when it expires. Prompt the user to re-authenticate within your tool’s interface as the expiration date gets close. Email users once a month, encouraging them to re-authenticate before the access token expires.

Another project affected by these changes is a social media publishing tool that I run which allows agencies to schedule updates to multiple Facebook and Twitter accounts from within one interface. It was fairly easy in the interface for a customer to connect to a new Facebook profile or page, and the tool relied on the offline_access permission to keep that connection indefinitely. However, it was not easy in the tool to update access tokens across multiple Facebook pages. Over the summer, in preparation for this change, I built a new re-authentication screen to make this process much more manageable for customers.

I really expected Facebook’s own third-party tools to set a good example with this, but unfortunately their WordPress plugin handles expired tokens incredibly poorly. I let my access token expire, and then I tried to publish a post. The plugin should have known that the token was expired and warned me beforehand, but it didn’t. I received no indication that anything was wrong until I hit Publish. I received the error below — too late for me to do anything about it. (If I had scheduled the post instead of publishing it immediately, I wouldn’t have even seen this error.)

Screenshot: Facebook WordPress Plugin Error

If that wasn’t bad enough, I could not figure out how to reactivate publishing. The error told me to go to the Facebook Settings page and re-enable something, but I went to that page and could find no such thing. I honestly have no idea how to re-establish my site’s connection from the plugin’s interface.


These changes to the Facebook API are fairly significant and will require some effort to overcome. If you are using your an access token for your own site, you’ll have to be diligent to keep it current. If you are building a tool for other people, you may need to  need to modify put in some work to maintain a good experience for your users.

I’d love to hear about your experiences with these changes so far. Do you use or develop any third-party tools? How have these changes affected you?

5 Responses to “Changes to Facebook API: Access Tokens and offline_access”

  1. tell me how to renew the time perod of access token??

  2. i tried to use offline_access using scope. but the returned access_token validity stil showing 2 hours only.

  3. sriharigoud2010 on April 30, 2013 at 5:04 am said:

    Yes,thank you for your post. I have one doubt, how to use access token to post user’s wall. I tried it but it is showing that “This may be because the user logged out or may be due to a system error.”, how can we use?

  4. new version v2.4 was not showing the facebook groups, but the old version show good, how can we get the fb groups for the new version

  5. コピーカルティエ時計,コピーオメガ時計,コピーその他時計の專門店ロレックス、ウブロをはじめとした、様々なスーパーコピー時計の販売?サイズ調整をご提供しております。
    スーパーコピー腕時計,ロレックスコピー,ブライトリングコピー,ボーム&メルシエコピー時計コピー業界最高峰スーパーコピー時計通販専門!7年以上の販売実績を 持つ時計コピー老舗!時計コピーであれば何でも揃えられます コピー時計 時計スーパーコピー通販専門店!時計コピー時計販売通販! コピー時計スーパー コピー等の 最高級のレプリカコピー時計を販売ロレックスコピー,ガガミラノコピー ,IWCコピー ,オメガコピー ,フェラーリコピー ,フランクミュラーコピー ,ベル&ロスコピー ,各種のブランドはコピーを表しますコピーを表して、時計をコピーして、スーパーコピーは代 金引換払いにして、スーパーはブランドをコピーして、スー パーは時計をコピーして代金引換払いにして、スーパーは時 計をコピーして、スーパーは腕時計をコピーして、ブランド はスーパーマーケットを表してコピーして、ブランドのスー パーマーケットはコピーして、ブランドはコピーを表して、 腕時計はコピーします http://www.gginza.com/bag/chanel/index.html

Leave a Reply

Learn to code with Treehouse

Start your 14 day free trial today and get access to hundreds of video courses in web development, design and business!

Learn more