Facebook Login for Business is the preferred authentication and authorization solution for Tech Providers and business app developers who need access to their business clients' assets. It is an alternative to Facebook Login. If you are not a Tech Provider, or you are not building a business app for use by other businesses, use Facebook Login as your authentication solution instead.
Compared to Facebook Login, Facebook Login for Business allows you to specify the access token type, types of assets, and permissions your app needs, and save it as a set (configuration). You can then present the set to your business clients who can complete the flow and grant your app access to their business assets. It removes the ability for a business to grant you permission to certain categories of information that are typically not necessary for a business app. It allows you to choose between different access tokens based on your apps’ needs.
You may request the following permissions from your business clients. Note that unlike Facebook Login, Facebook Login for Business requires your business client to grant all of the permissions that you specify in your configuration.
The email
and public_profile
permissions are automatically granted to all apps. However, they must be used with at least one other supported permission for each app installation.
The public_profile
permission is automatically granted to all apps however it will not be returned in the scope
parameter unless at least one other supported permission, excluding email
, is granted by an app user.
Available Permissions | User access tokens | Business Integration System User access tokens |
---|---|---|
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
email * | ✓ | N/A |
✓ | ✓ | |
instagram_content_publish | ✓ | ✓ |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
instagram_shopping_tag_products | ✓ | ✓ |
✓ | ✓ | |
manage_fundraisers | ✓ | ✓ |
✓ | ✓ | |
page_events | ✓ | ✓ |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
✓ | ✓ | |
private_computation_access | ✓ | ✓ |
✓ | N/A | |
✓ | ✓ | |
✓ | ✓ | |
read_audience_network_insights | ✓ | ✓ |
✓ | ✓ | |
✓ | ✓ |
You can use Facebook Login for Business to get either Business Integration System User access tokens or User access tokens. Note that your current access tokens will not be impacted upon switching to Facebook Login for Business.
Business Integration User access tokens are generated by Facebook Login for Business and should be used if your app performs programmatic, automated actions on your business clients' Ad objects or Pages without having to rely on input from an app user, or require re-authentication at a future date. For example:
In order to be able to get Business Integration User access tokens from your business clients:
To test the Business Integration System User access token flow, the tester must have a role on the app.
For certain Tech Providers, typically larger organizations, who might need different access setups for different purposes or departments instead of using the one Business Integration System User access token per client business, multiple granular Business Integration System User access tokens per client business are available to improve the scalability/security of your operations.
This endpoint allows developers to manage their existing system user access token by the following:
Object | Description |
---|---|
int | Required. When an end user installs an app through the Facebook Login For Business flow which generates system user access token at the end, such token will be scope in the selected business by the client. |
string | Required. Since this is a token management API, we require |
string | Required.
|
int | Optional. The |
bool | Optional.
|
int | Optional. When you want to generate a more granular token, you can set a list of |
bool | Optional. When you want to generate a more granular token, you can set a list of |
bool | Optional. When you want to generate a new token, you can make the token expire in 60 days |
curl -i -X POST \ 'https://graph.intern.facebook.com/v17.0/2738613836382965/system_user_access_tokens?appsecret_proof=<app_secret_proof_sanitized>& access_token=<access token sanitized>& system_user_id={system_user_id}& fetch_only=true'
{ "access_token": "{access_token}" }
User access tokens should be used if your app takes actions in real time, based on input from the user. For example, use a User access token if your app requires a user to input text and click a button in order to post content to their page. User access tokens should also be used if you require an API that requires admin permissions on a Meta Business Account.
System User access tokens | User access tokens | |
---|---|---|
Account association | Associated with your business client's business account rather than a specific user. Any admin in your business client's admin group can grant your app a System User access token. | Associated with your app user's personal account. |
OAuth grant type | Authorization Code only. | Implicit by default. Mainly used for user-agent based clients such as web browsers and mobile apps. |
Expiration and refresh | Defaults to never expire for the common offline server-to-server communication. | A short-lived token for online activities such as web browsers. |
Access Designations | Access is explicitly delegated at the time of authorization. Your app can only access the assets that were designated by your business client when they completed the Facebook Login for Business flow. | Access is inherited from your app user's current account access; you can access the same business assets that the app user currently has access to. |
Your business clients can invalidate Business Integration System User access tokens by going to Business Manager > Settings > Business Settings > Integrations > Connected apps and removing your app.
For User access tokens, your business clients can remove the app by going to Facebook and navigating to Settings & privacy > Settings > Security and login > Business Integrations and removing your app.
User access token login flow | Business Integration User access token login flow |
---|---|
To test out Facebook Login for Business, you need to create a Business Type testing app where the Facebook Login for Business is installed automatically.
A configuration is a grouping of the token type, business assets, and permissions your app requires from business clients. This grouping will be presented to users as part of the authentication and authorization flow when they install your app. You can create multiple configurations and present them to different sets of users, depending on your app's needs. To create a configuration you will:
Creating a configuration will generate a configuration ID, which you can then use with our SDKs (or manually).
WhatApp Embedded Signup is exclusively accessible for Business Solution Providers (BSPs) only.
whatsapp_business_management
and whatsapp_business_messaging
The flow is optimized for Instagram Graph APIusage only.
You can invoke the Facebook Login for Business login dialog using our SDKs, or you can invoke the login dialog by manually building the login flow.
You can use any of our SDKs to invoke the login dialog by replacing the list of scopes (permissions) your app needs with your configuration ID and the access token's required OAuth grant type.
If you are unfamiliar with our SDKs, we recommend that you first install the JavaScript SDK and get it working with the consumer Facebook Login product before proceeding, as the following examples reference the SDK.
Here's an example of the JavaScript SDK's FB.login()
method modified to use a configuration for a System User access token. Note that config_id
has replaced scope
(which should not be used), the response_type
has been set to code
, since SUAT's require the authorization code grant type, and override_default_response_type
must be set to true
. When true, any response types passed in the response_type
will take precedence over the default types.
FB.login( function(response) [ console.log(response); ], [ config_id: '<CONFIG_ID>', response_type: 'code', override_default_response_type: true ] );
When the user completes the login dialog flow we will redirect the user to your redirect URL and include a code. You must then exchange this code for an access token by performing a server-to-server call to our servers.
GET https://graph.facebook.com/v18.0
/oauth/access_token?
client_id=<APP_ID>
&client_secret=<APP_SECRET>
&code=<CODE>
See Exchanging Code for an Access Token for more information about this step.
Here's an example of the JavaScript SDK's FB.login()
method modified to use a configuration for a User access token. Note that config_id
has replaced scope
(although scope
can still be included, we recommend that you do not use it).
FB.login( function(response) { console.log(response); }, { config_id: '<CONFIG_ID>' // configuration ID goes here } );
Here's an example of the JavaScript SDK's login button modified to use a User access token configuration:
<fb:login-button config_id="<CONFIG_ID>" onlogin="checkLoginState();"> </fb:login-button>
See Manually Building the Login Flow to learn how to invoke the login dialog manually. When invoking the login dialog and setting the redirect URL, include your configuration ID as an optional parameter (although scope can still be included, we recommend that you do not use it).
config_id=<CONFIG_ID>
App installers might encounter error messages for the following reasons:
Potential breaking changes:
If your app is not functioning as intended after switching to Facebook Login for Business, you can uninstall it by rolling back to Facebook Login by going to the App Dashboard > Facebook Login for Business > Settings and clicking the Switch to Facebook Login link. You will be presented with a survey which helps us improve the Facebook Login for Business configuration experience. Each app is allowed to roll back to Facebook Login within 30 days after the switch and can only roll-back max three times.