Developer Best Practices for Facebook Login

As announced earlier today, we'll begin rolling out a feature that gives people more transparency and control over the data other apps and websites share with us. We believe that giving people transparency and control is good for businesses and developers as people will be more informed on how their information is used and feel better about the products they interact with online.

When using this feature, people will be able to see a list of apps and websites they’ve visited that use Facebook business and/or developer tools such as the Facebook pixel, SDK and APIs.

As this feature rolls out, it may impact Facebook Login. When people exercise control to clear their off-Facebook activity or disconnect future activity, their user access tokens for third-party apps or websites where they used Facebook Login will be invalidated, and they may be logged out of the app or website. When they do log back in, the app or website will receive the same App Scoped ID they previously had to preserve continuity.

To help developers prepare for the launch of this feature, we’re providing our developer community with updated implementation best practices and guidance.

1. Prompt people to log back into your app or website: When someone exercises control via the feature and wants to log back in to an app or website, that person should be prompted to do so when they open the app or website again. If they choose to log back in using Facebook Login, they will need to re-authorize any applicable permissions to the app or website.
2. Check to make sure a user access token is still valid: In addition, when a person logged in with Facebook Login is actively using an app or website, developers should check that the user access token is still valid by making an API call or by checking permissions. Be sure to log the user out when their access token is invalidated.
3. Check for revoked permissions: People can revoke permissions granted to your app in Facebook's interface at any time after they have logged in. It is important to check what permissions are granted to apps and websites by active users.
4. Provide people with data control: To give people control of their data, you should implement a data deletion callback to respond to people’s requests to delete data an app or website has from Facebook about them.

Additional resources

• Testing Facebook Login flow: https://developers.facebook.com/docs/facebook-login/testing-your-login-flow
• Facebook Login best practices: https://developers.facebook.com/docs/facebook-login/best-practices