Facebook API Rate Limit - Server-side vs Client-side

Question

To my understanding the rate limit for facebook API is about 600 calls per 600 sec, per token & IP. Now I have a website/facebook-app that allows users to browse public nightclub pages and events which does not require the user to be logged in to browse the pages so I use my App token for that. But for the user to be able to use the features on my website/app where their account interacts with the facebook graph, they have to be logged in so I use the user token for that.

So when the user is logged in, there should not be a problem with exceeding the rate limit since each user will have a different user token so each user will have a rate limit of 600 calls per 600 sec. But my concern is that my app will exceed the rate limit when the user is browsing public nightclub pages and events when they are not logged in since there will be only 1 app token and 1 IP adress(my server) being used for mutiple users. If there are mutiple users browsing the public nightclub pages and events at one time then it will be very easy to exceed the rate limit.

I've done some research and found that I can make the API calls from client-side, that way there will be a different IP address(users computer) for each user that is browsing public nightclub pages and events, so then each user will have a rate limit of 600 calls per 600 sec. But then if I make the API calls from client-side, then would my app token and app secret be visible to the user? Would this be a security risk? Can anyone verify if this is correct? Is there any other thing I can do so that the rate limit is not exceeded when users are browsing public nightclub pages and events? Thanks in advance.

Answer 1

When making calls from client side you do not provide the app secret, only the App ID, which the client can see regardless, because they are logged into your app. The Facebook cookie for your app contains your App ID. Each client gets their own token, which they can also see.

I'm not sure what "browsing nightclub pages" means technically, but if you can offload server work to the client using JavaScript, that is preferable. Also, when authenticating a user on your server side, try not to call $facebook->getUser() on every page request because that counts against your API limit. Try to log in clients using JavaScript if possible, if not log them in ONCE with FB server-side then set up your own session to authenticate them with your site from then on. This will cut down immensely on your API calls.

See this question: Structure of a facebook app with minimal api calls