Permissions with Facebook Login

When a person logs into your app via Facebook Login you can access a subset of that person's data stored on Facebook. Permissions are how you ask someone if you can access that data. A person's privacy settings combined with what you ask for will determine what you can access.

Requesting & RevokingReviewPermissions Reference

Facebook Login Example

Permissions are strings that are passed along with a login request or an API call. Here are two examples of permissions:

  • publish_to_groups - Access to publish posts to groups a person manages
  • pages_manage_posts - Access to publish posts to Pages a person manages

For example, if you add the login button to a web app and ask for publish_to_groups and pages_manage_posts via the scope parameter, a person would be prompted with this dialog when logging in for the first time:

Your app has requested access to a person's groups and Pages. The full list of permissions, including defaults, is included in the Permissions Reference.

We provide similar mechanisms for iOS and Android. Links are provided for each platform later in this document.

When to ask for Permissions

Your app can ask for additional permissions at any time, even after a person logs in for the first time. For example, the user_photos permission allows your app to get a person's published photos. It's recommended you ask for this permission only when your app needs to show the person their published photos. When you ask for new permissions, the person using your app will be asked about those new permissions and has the ability to opt out. For more information, see Optimizing Permissions Requests.

Permissions only need to be granted once per app, i.e. permissions granted on one platform are effectively granted on all the platforms your app supports.

User Control

Facebook Login allows a person to grant only a subset of permissions that you ask for to your app, except for public profile, which is always required. This is available as a separate screen in the login dialog when you ask for permissions. Your app should handle the case where someone had declined to grant your app one of the permissions you requested.

Revoked Permissions

People can also revoke permissions granted to your app in Facebook's interface at any time after they have logged in. It is important that your app regularly checks which permissions have been granted, especially when launching on a new platform. We provide methods for you to check what permissions are currently granted to your app.

Granular Permissions

People can grant your app permissions for Pages, Groups, and business assets they manage at the individual level. For example, someone who manages several Pages, may grant your app permission for only a particular Page or for only some of their Pages.

People choose which permissions they grant through a permission request flow. For example, if an app requests Page and Groups permission, people receive a request to grant those permissions in the login dialog. If they don't grant all the requested permisions, they can manage what sorts of permissions they grant and the assets, such as permission to a specific Page or Group if they manage many, the app can access with those permissions.

If someone initially grants only some of the requested permissions, they can later change which permissions they allow through the app settings page. However, if they update this to grant all permissions, they will no longer be able to use the app settings page to change the permissions they have granted.

People can manage the following permissions at the individual level:

Expiration of Permissions

If your app does not use a permission for 90 days, that permission may expire. This is true even if the permission was approved through app review.