Access tokens are opaque strings that are used in token-based authentication to identify a user, app, or page and can allow an application to access an API. These are considered sensitive and should be kept confidential at all times, as stated in our Platform Terms. In many cases, code can be directly viewed, either by reading the HTML source or by decompiling an app binary. Therefore, your app should never have an access token hard-coded into it. Instead, calls should be made directly with the response from the access token generation request.
To increase security, Meta will work with GitHub to mitigate risks associated with exposed user access tokens and page access tokens. Exposed tokens risk being used for unauthorized access to the application or being used by a malicious user to act on behalf of the token owner and potentially compromise the application.
As part of this program, GitHub will scan every commit to a public repository for exposed Meta access tokens and forward any access tokens to Meta. Access tokens having a valid session will be automatically invalidated. App owners will be notified via App Dashboard whenever a token belonging to app admin or developers has been invalidated. The end-to-end process takes just a few seconds.