I have an app that includes displaying some photos from a user’s Facebook account. I’m currently using the fb_graph gem to do this (it’s a Ruby project).

I can get the URLs no problem, but what I can’t work out is whether the users will be able to see these photos, displayed on my page, if they’re logged out of their Facebook account. URLs look like: http://sphotos-d.ak.fbcdn.net/hphotos-ak-prn1/<id>.jpg.

There’s an obvious work around, though. I could append the access token I have for the user onto the URLs, so they have the same permissions to see the photos that I do: “http://sphotos-d.ak.fbcdn.net/hphotos-ak-prn1/.jpg?access_token=`.

Questions like this one http://developers.facebook.com/docs/authentication/client-side/ suggest that it should be a last resort to use the access_token client-side, but I think I have to (as not all photos will be public).

And this question Facebook access token: server-side vs client-side flows says that because I’m getting the token server-side, it’ll last for 60 days. So I want to be careful with how I use it.

Two questions, then: will this work for viewing the photos, and is there a better way that doesn’t expose the access_token?