119

There's only thing that server has to do; just check any access token's validity.

Clients send to the server user id and access token obtained by FB.getLoginStatus. As I expected, there would be any URL that checks access token's validity, like http://xxx.facebook.com/access_token?=xxxxxxxxxxxxxxxxxxxxxxxxxxxx.

That returns whether it's available one or not or is there any API (server side) for that?

double-beep
  • 3,889
  • 12
  • 24
  • 35
So Jae Kyung
  • 1,201
  • 2
  • 9
  • 3
  • 2
    Why not just call graph.facebook.com/me/permissions ? – Igy Dec 22 '11 at 15:59
  • See also http://stackoverflow.com/questions/8141037/get-application-id-from-user-access-token-or-verify-the-source-application-for – Vadzim Jul 23 '15 at 20:29
  • 2
    possible duplicate of [Facebook access token server-side validation for iPhone app](http://stackoverflow.com/questions/5406859/facebook-access-token-server-side-validation-for-iphone-app) – Flimzy Sep 09 '15 at 23:31
  • 3
    There is a nice UI https://developers.facebook.com/tools/debug/accesstoken/ – Clergyman Dec 13 '17 at 12:47

7 Answers7

140

The officially supported method for this is:

GET graph.facebook.com/debug_token?
     input_token={token-to-inspect}
     &access_token={app-token-or-admin-token}

See the check token docs for more information.

An example response is:

{
    "data": {
        "app_id": 138483919580948, 
        "application": "Social Cafe", 
        "expires_at": 1352419328, 
        "is_valid": true, 
        "issued_at": 1347235328, 
        "metadata": {
            "sso": "iphone-safari"
        }, 
        "scopes": [
            "email", 
            "publish_actions"
        ], 
        "user_id": 1207059
    }
}
AndHeiberg
  • 979
  • 1
  • 9
  • 29
rynop
  • 41,200
  • 23
  • 87
  • 99
  • This is probably *not* a good way to do it, because it is specifically described as a debugging function. As such, Facebook is much more likely to introduce breaking changes to it going forward. – Jonathan Gilbert Oct 30 '13 at 17:03
  • 25
    I think it's misleading to say that facebook is more likely to introduce breaking changes. They don't state that anywhere and their official docs make it clear that this is the way to validate the access token – Ed Sykes Nov 04 '13 at 22:37
  • Still the recommended way by Facebook is to make a request to https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx. – Gaston Sanchez Mar 10 '14 at 22:14
  • @JonathanGilbert I don't see where it is described as a debugging function. – rynop Mar 11 '14 at 20:20
  • @GastónSánchez that is only to validate token for session'd user. This validates token for any user, passed into your server (by JS login code for example) – rynop Mar 11 '14 at 20:21
  • 1
    @rynop, well, the name of the API endpoint is "debug_token", and it is described in a section of the Facebook API documentation labelled [Getting Info about Tokens and Debugging](https://developers.facebook.com/docs/facebook-login/access-tokens/#debug). This section of the documentation is referred to by HTML anchor #debug, and states that the API is the back-end for their debug tool. Seems pretty clear to me, but you are right that technically, nowhere is it clearly and directly stated that the function is not intended for production use... :-) – Jonathan Gilbert Apr 29 '14 at 02:58
  • 5
    The main issue here is that using the me?access_token method is just plain wrong if the data is coming from the client side; since any site can fish for tokens then use them to authenticate into your site by accessing your api. – srcspider Jul 02 '15 at 11:09
  • 1
    @JonathanGilbert Would be nice if you could suggest the correct way tbh – Ced Dec 11 '15 at 18:28
  • @srcspider What is the difference between /me and /debug_token in that regard? And if someone is fishing for tokens, why do they need an intermediary for testing? They can simply go directly to Facebook's servers. – Jonathan Gilbert Dec 12 '15 at 19:34
  • @Ced It is pretty simple. Any API endpoint that requires a token effectively checks the token. Pick an endpoint such as /me or /me/permissions for which about the only way it could fail, short of server downtime or Internet problems, is the access token being invalid. If you get a successful response, then the token is still valid. :-) – Jonathan Gilbert Dec 12 '15 at 19:38
  • 4
    The OP wanted to check the user ID associated with the token. The /me endpoint returns the user ID, but only if the access token is valid (because, after all, the token is used to determine *which* "me" to return). So, grab /me and compare user IDs. It must be kept in mind that each app gets its own specially-scoped user IDs, so you can't compare IDs from a different source with the /me you get with your own app's token. – Jonathan Gilbert Dec 12 '15 at 19:41
  • 3
    The docs might in the past have referencing using this for debugging. But currently it suggest that this is exactly the use case. – AndHeiberg Jan 13 '16 at 18:13
  • As a token {clientId}|{clientSecret} could be used also. – heroin May 09 '16 at 18:06
  • It's really weird for me that to validate the access_token I have to provide the valid access_token. – Nakilon Aug 30 '16 at 11:32
  • 1
    To further support @AndHeiberg's point about this being a supported use case: https://developers.facebook.com/docs/facebook-login/security#tokenhijacking says "access tokens should never be assumed to be from the app that is using them, instead they should be checked using debugging endpoints" with a link to https://developers.facebook.com/docs/facebook-login/access-tokens/#debug. – Henrik N Apr 19 '17 at 09:50
  • Is `access_token={app-token-or-admin-token}` part really needed? I cannot see any mention of it in the [newest documentation](https://developers.facebook.com/docs/graph-api/reference/v7.0/debug_token). – cubuspl42 Jun 04 '20 at 11:35
  • 1
    @cubuspl42 fyi from the page: "An app access token or an app developer's user access token for the app associated with the input_token is required to access this endpoint." – John Boker Sep 18 '20 at 12:48
80

You can simply request https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx if you get an error, the token is invalid. If you get a JSON object with an id property then it is valid.

Unfortunately this will only tell you if your token is valid, not if it came from your app.

rogerdpack
  • 50,731
  • 31
  • 212
  • 332
Andy Muth
  • 1,371
  • 7
  • 4
  • 9
    Sorry, my question wasn't clear. The problem is how to verify user only with uid and accessToken. https://graph.facebook.com/100000726976284?access_token=xxxxxx For example, is there any simple way to check if user 100000726976284's access token is xxxxxx. I guess the 'verified' filed is the key. Only when I put correct xxxxxx, I could see verified=true in the response. – So Jae Kyung Dec 22 '11 at 19:16
  • 14
    Request https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx as mentioned above, and then check that the uid you have matches the id passed back from the request. – AlexQueue Oct 05 '12 at 18:23
  • 53
    This won't check that the access_token is for your app. – Ed Sykes Nov 04 '13 at 22:53
  • Also not providing `expires_at` info. – vinesh Dec 04 '15 at 16:13
  • Is this really all you need to do? And this is secure enough? – Matt Jan 07 '16 at 23:57
  • 4
    downvoting, agree with @EdSykes, this way you cannot check if access token belongs to your app https://developers.facebook.com/docs/facebook-login/security – nikis Feb 12 '16 at 10:43
  • this is totally wrong. you should call the debug_token as rynop said – user151496 Aug 03 '16 at 13:09
44

Just wanted to let you know that up until today I was first obtaining an app access token (via GET request to Facebook), and then using the received token as the app-token-or-admin-token in:

GET graph.facebook.com/debug_token?
    input_token={token-to-inspect}
    &access_token={app-token-or-admin-token}

However, I just realized a better way of doing this (with the added benefit of requiring one less GET request):

GET graph.facebook.com/debug_token?
    input_token={token-to-inspect}
    &access_token={app_id}|{app_secret}

As described in Facebook's documentation for Access Tokens here.

Andy
  • 1,048
  • 1
  • 10
  • 16
  • 7
    Thank you. Note for others: the literal "|" character must be included (that doesn't indicate 'or') as shown on the page linked to in the answer: https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens – Mike S Oct 26 '17 at 00:29
  • 1
    Isn't this unsecure? Sending the app-secret via URL query parameters exposes it to anyone "in the middle" between your server and Facebook and HTTPS won't help, since URLs are not encrypted. Anyone could just "listen for" (sniff) requests with URLs in debug_token format and steal Facebook app-secrets. – Simeon Jul 09 '18 at 09:43
  • 1
    @Simeon https://stackoverflow.com/questions/499591/are-https-urls-encrypted It is quite secure. – Xeing Aug 09 '18 at 13:16
  • @Xeing thanks, I see I was under the wrong impression :) It seems just the host part of the URL is not encrypted. – Simeon Aug 09 '18 at 14:40
  • 1
    Adding the '|' with the app secret got me going finally. Otherwise this API doesn't work. – Udayaditya Barua Aug 16 '18 at 13:15
  • this is sent server side . so clients don't have access and it's https . so nothing wrong with that. plus that's probs how the sdk does it . The sdk is literally a fancy wrapper for the rest api. ... – Ahmad Bedirxan Sep 28 '20 at 21:45
  • Thanks a bunch! I'm aware of other methods but this was what I've been searching for because it fits some legacy implementation. – OzrenTkalcecKrznaric Oct 21 '20 at 17:08
5

Simply request (HTTP GET):

https://graph.facebook.com/USER_ID/access_token=xxxxxxxxxxxxxxxxx

That's it.

Nathan B
  • 1,154
  • 1
  • 14
  • 12
2

The app token can be found from this url.

https://developers.facebook.com/tools/accesstoken

Mahendra
  • 431
  • 4
  • 7
0

Exchange Access Token for Mobile Number and Country Code (Server Side OR Client Side)

You can get the mobile number with your access_token with this API https://graph.accountkit.com/v1.1/me/?access_token=xxxxxxxxxxxx. Maybe, once you have the mobile number and the id, you can work with it to verify the user with your server & database.

xxxxxxxxxx above is the Access Token

Example Response :

{
   "id": "61940819992708",
   "phone": {
      "number": "+91XX82923912",
      "country_prefix": "91",
      "national_number": "XX82923912"
   }
}

Exchange Auth Code for Access Token (Server Side)

If you have an Auth Code instead, you can first get the Access Token with this API - https://graph.accountkit.com/v1.1/access_token?grant_type=authorization_code&code=xxxxxxxxxx&access_token=AA|yyyyyyyyyy|zzzzzzzzzz

xxxxxxxxxx, yyyyyyyyyy and zzzzzzzzzz above are the Auth Code, App ID and App Secret respectively.

Example Response

{
   "id": "619XX819992708",
   "access_token": "EMAWdcsi711meGS2qQpNk4XBTwUBIDtqYAKoZBbBZAEZCZAXyWVbqvKUyKgDZBniZBFwKVyoVGHXnquCcikBqc9ROF2qAxLRrqBYAvXknwND3dhHU0iLZCRwBNHNlyQZD",
   "token_refresh_interval_sec": XX92000
}

Note - This is preferred on the server-side since the API requires the APP Secret which is not meant to be shared for security reasons.

Good Luck.

Black Mamba
  • 8,408
  • 4
  • 52
  • 84
Aakash
  • 14,077
  • 4
  • 77
  • 63
0

I found this official tool from facebook developer page, this page will you following information related to access token - App ID, Type, App-Scoped,User last installed this app via, Issued, Expires, Data Access Expires, Valid, Origin, Scopes. Just need access token.

https://developers.facebook.com/tools/debug/accesstoken/

shukla147
  • 58
  • 1
  • 5