Introduction to Authentication Tokens

An authentication token stores information related to permissions, token generation and expiration.

Access Token

An access token is a random string that gives an application temporary and secure access to Facebook APIs. An access token is created on behalf of a person, a Facebook Page or an application. The token is generated during the last step of the login flow. Facebook SDKs handle the generation and storage of tokens automatically. Applications using other methods must follow the login flow to create tokens.

A token stores information about granted permissions. When the token expires, the application generates a token. To maintain information security, almost all API calls at Facebook must have an access token that is passed in the parameters of the request.

The following token types are provided by Facebook:

User Access Token

With user access tokens, you can test your applications. They expire like any other user access tokens and cannot be hard coded into your applications.

App Token

App tokens expire and must be kept confidential because they are related to your application secret.

Page Access Token

Page access tokens are similar to user access tokens, except that they provide permission to APIs that read, write, or modify the data which belongs to a Facebook page.