4

Trying to refresh my long lived access token via this endpoint:

https://developers.facebook.com/docs/instagram-basic-display-api/guides/long-lived-access-tokens#refresh-a-long-lived-token

Keep getting the error: OAuth "Facebook Platform" "invalid_token" "Invalid OAuth access token."

However, I debug my token using https://developers.facebook.com/tools/debug/accesstoken/ which shows that it is valid and for around 2 months (which proves its a long lived access token).

Does this endpoint not work anymore or am I missing something?

P.S. I'm using a User Access Token, its a public Instagram business account backed by a Facebook page. Also, I'm using this on server, so it won't refresh if the token is used within 60 days (that's what happens when you auth through FB mobile sdk).

EDIT

So it looks like there are two requirements that I missed:

  1. Your long lived access token has to be at least 24 hours old in order to refresh
  2. You need the 'instagram_graph_user_profile' permission/scope when logging your user into Facebook

HOWEVER

I tried:

  1. Oddly enough, whenever I add that permission/scope to the list, Facebook Login always fails and says "There's something wrong". I tried this using the facebook login react npm package, the manual login flow by just making requests, and the FB SDK login button, all the same result.
  2. The Facebook Graph API Explorer doesn't include this permission. However, the list of permissions they have does include it.

So what does this mean, Facebook isn't allowing refresh of long lived tokens?

NOTE: The docs on how to refresh a long lived access token are for the Basic Display API, which isn't recommended for business accounts (which is who will be using my app). So this makes me more unsure of if it is possible to refresh tokens for the Instagram Graph API.

MORE INFO

So on the FB developer portal, if you add the Instagram Basic Display product to your app (I previously didn't have it) it allows you to ask for the instagram_graph_user_profile permission. However, this brings up more questions:

  1. Do I have to use Insta Graph API + Insta Basic Display in order to get a a refreshable long lived access token?
  2. If so, how does that work? Because Insta Basic Display is recommended for personal accounts and Graph API is for business accounts.
  3. If so, how do I add the instagram_graph_user_profile permission? It still causes FB login to fail.
Akash Kundu
  • 1,278
  • 13
  • 21
  • Can you please check the "Client OAuth Setting" in your Facebook app under "Products - Facebook Login - Setting". Maybe you have a bad selection there. – Norbert Jan 11 '21 at 21:04
  • Thanks for the response! Could you elaborate a little more? Also where would I find these settings? – Akash Kundu Jan 11 '21 at 23:56
  • In your Facebook App. On the left side you'll find "Products" a sub-entry is "Facebook Login" and there you find the entry "settings". – Norbert Jan 12 '21 at 08:52
  • Gotcha, so I never touched anything here except I added my URIs to the "Valid OAuth Redirect URIs" area. Everything else has default settings. Should I change something here? – Akash Kundu Jan 12 '21 at 17:38
  • Ever tried this procedure? https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/ The link for getting a long lived access token you mention above leads to the Instagram long-lived access token and not the Facebook one. – Norbert Jan 15 '21 at 11:19
  • Thanks for the response @Norbert, I actually already do this to get the ~60 day token. However, I need a way to refresh that token once that ~60 days is nearly up! Any ideas? – Akash Kundu Jan 15 '21 at 15:48
  • First, you'll get an JSON in return and in this JSON you get an expires_in field so, you know at what time the token will become invalid. But, as long as you use the token, it is refreshed once per day. Check this paragraph from the linked docs from my comment above: "These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token." – Norbert Jan 15 '21 at 22:01
  • @Norbert I did read that! To test that, I created a long lived access token 7 days ago and I've been making calls with it since. As of today, the expiry date still shows the same date it did when I first made the token. This indicates the token is not being refresh once per day, right? – Akash Kundu Jan 16 '21 at 06:14

1 Answers1

3

So I ended up contacting a few companies that I know for a fact do what I was trying to do and they confirmed that Facebook does REQUIRE the user to re-authorize after ~60 days.

If they don't, the long lived access token will expire.

Akash Kundu
  • 1,278
  • 13
  • 21
  • So if we want to display instgram feed in the website we need to manually update the access token? – Shinya Koizumi Jun 12 '21 at 20:06
  • @ShinyaKoizumi Yes, so if the user re-authenticates it will refresh the access token. You can accomplish this by just asking them to re-auth (this is what I do) or the better way is to give the user a reason to come back and re-auth! – Akash Kundu Jun 13 '21 at 01:34
  • Thanks for the response. I was trying to display my instagram feed on my website and it was expering every 60 days. Instead I renewed the token every day so it never expires using this function https://developers.facebook.com/docs/instagram-basic-display-api/reference/refresh_access_token/ – Shinya Koizumi Jun 14 '21 at 05:42
  • Yup, nice, this only works for Basic Display API though which didn't cover my uses, but glad you found something for yours! :) – Akash Kundu Jun 14 '21 at 19:47