Facebook long-lived and short-lived access tokens, and their expirancy after offline_access removal

Question

While reading Facebook's post regarding offline_access permission removal, I was thoroughly confused by their reference to short-lived and long-lived access tokens.

This page mentioned

The duration for which a given access token is valid depends on how it was generated

But I failed to find any further information.

Anyone has insights on how this determination process works in detail?

Answer 1

The access token your app gets for a Client-Side authentication is short lived (about 2 hours), but you can extend it and get a long lived token using the new endpoint with a valid access token. In the Handling Invalid/Expired Access Tokens it says under Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK:

Calling FB.getLoginStatus() or ensuring status: true is set when you call FB.init() means that the next time a user lands on your application and is signed into Facebook, the authResponse object you are passed as a result of those calls will contain a fresh, valid access token.

In this case, its simply the act of the user using your application which implicitly generates a new access token.

If you use the Server-Side authentication flow then you will automatically get a long lived token (about 60 days) automatically. When that expires you have to send the user to re-authenticate in the same flow (code exchanging).

You can of course use both methods and that way you can get a long lived token in the server and a short lived token in the client.