Home/ Questions/Q 8003471
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T16:39:31+00:00

Facebook docs : Facebook Platform supports two different OAuth 2.0 flows for user login:

  • 0

Facebook docs:

Facebook Platform supports two different OAuth 2.0 flows for user login: server-side (known as the authentication code flow in the specification) and client-side (known as the implicit flow). The server-side flow is used whenever you need to call the Graph API from your web server. The client-side flow is used when you need to make calls to the Graph API from a client, such as JavaScript running in a Web browser or from a native mobile or desktop app.

What is the difference between access tokens taken by these flows?
It seems like they length differ.

Can we use server-side flow token on a client? And otherwise, can we use client-side flow token on a server?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Currently, Facebook says this about access_tokens. On Server-side OAuth

    if the access_token is generated from a server-side OAuth call, the
    resulting access_token will have the longer expiration time by
    default    . If the call is made while there is still a valid long-lived
    user access_token for that user, the returned user access_token from
    this second call may be the same or may have changed, but in either
    case the expiration time will be set to a long expiration time.

    Where as client-side OAuth flow will give you a existing, non-expired, short-lived user access_token. To make this access_token long lived, facebook is providing a new endpoint that exchanges the short lived access_token with an access_token with longer life. The endpoint is

    https://graph.facebook.com/oauth/access_token?             
    client_id=APP_ID&
    client_secret=APP_SECRET&
    grant_type=fb_exchange_token&
    fb_exchange_token=EXISTING_ACCESS_TOKEN

    Also please note that

    Currently the long-lived user access_token will be valid for 60 days
    while the short-lived user access_tokens are currently valid from 1 to
    2 hours.

    Excerpt from https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/

    • 0