API Access for Meta Admin Center is controlled by permissions and access tokens.
Access Tokens are required when making API calls by an integration, and they represent both the integration and the permissions granted to it.
Permissions enable granular control over what type of data can be accessed or edited by each integration. When developing an integration, admins can use permissions to control the level of available functionality for that integration.
Permissions granted to an integration take effect at the Admin Center instance level. For example, a custom integration with the Manage Accounts permission can manage or create user accounts only for the Admin Center where it was created.
The following permissions are available to custom integrations for Admin Center:
The permissions available for a custom integration are informed by its purpose. For example, an integration created within the Security tab of Admin Center can only use the Read security audit logs permission.
Access tokens are required when making API requests, and each access token is linked to the custom integration for which it was generated.
To configure a custom integration to make API calls, follow the steps below:
Each custom integration can have only a single active access token. When you generate a new token, any previously generated tokens are immediately invalidated.
Once you have configured a custom integration, you need to generate a token in order to make API calls. You'll do this by calling an access token endpoint, passing the App ID and App Secret you stored from the previous section, as shown in the example call below.
curl \ -F 'access_token=<app_id>|<app_secret>' \ -F 'grant_type=client_credentials' \ https://graph.work.meta.com/work_get_token
This endpoint will return an access token that can then be used to make other API calls.
The access token returned by the above API call will expire, so you'll need to handle token expiry in your code, and retrieve fresh tokens periodically from the same endpoint you used to get the first token. See below for more information on token expiry.
Admin Center custom integration tokens are valid for exactly 2 hours after being generated.
After the validity period has passed, the token will expire, and can no-longer be used to make API calls.
To continue making API calls after an access token expires, a new token will need to be generated, and you'll need to replace the old token in any callsites that use it in code.
If you need to reset a valid access token for a custom integration, an admin can reset the app secret from the admin panel. Any access tokens in use by this custom integration will be immediately invalidated.
To enhance the security of custom integrations, developers are required to add IP addresses of any services that will access the API for a given integration. This feature restricts token usage to servers at the specified IP addresses.
Grant the fewest required permissions to achieve the intended integration.
Store app secrets securely, so that they are only accessible by authorized personnel.
Store and use access tokens only on server environments that are under the owning company's control.
Grant unnecessary permissions.
Commit access tokens or app secrets to public code repositories.
Transmit app secrets or access tokens into mobile apps or web browser client code.