Do Facebook Oauth 2.0 Access Tokens Expire?

Question

After digging around a bit, i found this. It seems to be the answer:

Updated (11/April/2018)

• The token will expire after about 60 days.
• The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.
• All access tokens need to be renewed every 90 days with the consent of the person using your app.

Facebook change announce (10/04/2018)

Facebook updated token expiration page (10/04/2018)

offline_access: Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

Its a permission value requested.

http://developers.facebook.com/docs/authentication/permissions

UPDATE

offline_access permission has been removed a while ago.

https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/

Try this may be it will help full for you

https://graph.facebook.com/oauth/authorize?
    client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
    redirect_uri=http://www.example.com/

To get lifetime Access Token you have to use scope=offline_access

Meaning of scope=offline_access is that :-

Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012. and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..

Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:

https://developers.facebook.com/docs/offline-access-deprecation/

I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.

Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.

I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.