Today, Facebook is removing the
offline_access permission from their API and changing how access tokens expire. You previously could give a Facebook app permission to do things like post to your timeline indefinitely, but now permissions like these expire after sixty days. This is a significant change for third-party tools that interact with Facebook. Let’s take a look at these changes and discuss what you’ll need to do to deal with them.
Let’s look at Facebook’s own WordPress plugin that integrates WordPress websites with Facebook. This plugin can (among other things) automatically post a link to your timeline whenever you publish a blog post. To set this up, you create your own app on Facebook and grant it permission to publish to your timeline.
This creates an access token that the WordPress plugin will use every time it interacts with Facebook. This access token is a very long string (116 characters). You can view information about a particular access token by using the Facebook Debugger.
Two things are new with today’s Facebook changes:
- The Expires value is now only 60 days. Users previously could grant an app permission that never expired, but they can no longer do this.
- The Scopes no longer contains an
offline_accesspermission. (All tokens now contain this permission implicitly, at least until they expire.)
With the WordPress plugin connected to my app, I can start writing blog posts in WordPress. The plugin will publish links to them on Facebook without any trouble — at least for the next 60 days, until the access token expires.
Here’s the problem: imagine that (as the expiration time approaches) I schedule out blog posts for a two week period and then go on vacation. Unfortunately, the access token could expire while I’m on vacation and the plugin will be unable to share links to my blog posts on Facebook until I get back and re-authenticate.
What You’ll Need To Do
These changes affect both developers and users of third-party tools that interact with the Facebook API. Here are two recommendations for dealing with these changes, based on my experience so far working with different projects affected by them.
UPDATE YOUR OWN ACCESS TOKENS MONTHLY
I recommend updating your access tokens every month. Set a recurring item on your calendar or task list, and make it a part of your regular routine. The exact steps to do this will depend on your tool, of course, but one of these should work:
- Third-party tools typically provide an interface for getting access tokens — at least initially. You’ll typically need to visit a settings screen within the third-party tool and click a button to get a new access token, though it may be more complicated than that. If it’s not clear how to do it, you’ll need to get in touch with the developer(s) about it.
- If you have written your own code to interact with the Facebook API, you’ll usually have specified your access token. I have put together a simple bookmarklet you can use to get an access token that is valid for sixty days: Facebook Access Token Bookmarklet.
One project affected by these changes is a network of shopping center websites I helped develop; each website displays a list of recent Facebook and Twitter updates from all the stores in the shopping center. (Here’s one example site: Alexandria Mall.) The code uses an app to interact with the Facebook API, and the access token in that code now needs to be updated on a regular basis.
DEVELOPERS: MAKE IT EASY FOR USERS TO RE-AUTHENICATE
With the loss of the offline_access permission, you’ll need to think about your users’ experience with your tool from a new perspective. Keep track of when the access token was created and when it expires. Prompt the user to re-authenticate within your tool’s interface as the expiration date gets close. Email users once a month, encouraging them to re-authenticate before the access token expires.
Another project affected by these changes is a social media publishing tool that I run which allows agencies to schedule updates to multiple Facebook and Twitter accounts from within one interface. It was fairly easy in the interface for a customer to connect to a new Facebook profile or page, and the tool relied on the offline_access permission to keep that connection indefinitely. However, it was not easy in the tool to update access tokens across multiple Facebook pages. Over the summer, in preparation for this change, I built a new re-authentication screen to make this process much more manageable for customers.
I really expected Facebook’s own third-party tools to set a good example with this, but unfortunately their WordPress plugin handles expired tokens incredibly poorly. I let my access token expire, and then I tried to publish a post. The plugin should have known that the token was expired and warned me beforehand, but it didn’t. I received no indication that anything was wrong until I hit Publish. I received the error below — too late for me to do anything about it. (If I had scheduled the post instead of publishing it immediately, I wouldn’t have even seen this error.)
If that wasn’t bad enough, I could not figure out how to reactivate publishing. The error told me to go to the Facebook Settings page and re-enable something, but I went to that page and could find no such thing. I honestly have no idea how to re-establish my site’s connection from the plugin’s interface.
These changes to the Facebook API are fairly significant and will require some effort to overcome. If you are using your an access token for your own site, you’ll have to be diligent to keep it current. If you are building a tool for other people, you may need to need to modify put in some work to maintain a good experience for your users.
I’d love to hear about your experiences with these changes so far. Do you use or develop any third-party tools? How have these changes affected you?