You're in
Iker Hurtado's pro blog
Developer | Entrepreneur | Investor
Software engineer (entrepreneur and investor at times). These days doing performant frontend and graphics on the web platform at Barcelona Supercomputing Center

How to programmatically post on Facebook

1 Dec 2014   |   iker hurtado  
Share on Twitter Share on Google+ Share on Facebook
In this entry I will explain how to post to a Facebook account from the server -without need for user intervention at each request- through its API. I show how HTTP requests are formed because I think is the most important thing; I bring no source code. Also I link relevant pages of official documentation.

My current need is to post messages occasionally in my Facebook account from the server. The peculiarity of the Facebook system for my goal is that I need to obtain a long-lived token. This can be achieved in three steps:

Step 1: Gain a normal access token (short-lived):

You only have to use this tool that provides the platform: Graph API Explorer.

In the official documentation is detailed (Quickstart - Generate a basic Access Token), but it isn't tricky. The only important detail is that it's necessary to ask for a token with publishing permissions. This is properly explained a bit further down; in Get Publishing Permissions section.

Step 2: Obtain a long-lived token

For my need of publication from the server without user intervention (my account) I need a long-lived token. It is easy to get from the normal token providing the application identificator and secret.

This is properly explained in official documentation. It consists of a GET request with the following URL and these parameters (line breaks are included for readability):


Paso 3: Post

Once we have the long-lived token -with right publishing permissions- to post is very easy (oficcial documentation).

It only consists in creating a POST request with the next URL (to publish in the feed) and with the long-lived token as value of access_token parameter. Something like this:

POST https://graph.facebook.com/102036675662757/feed?

Although it is a POST request, the message can go in the URL (properly encoded with Percent encoding).

Unlike Twitter, Facebook uses OAuth 2.0, so no need to encrypt the requests as they are on an encrypted channel (HTTPS). This greatly simplifies the composition of petitions.

The problem of renewing the long-lived token

The only drawback of the Facebook system to post from the server is that long-lived token expire in about two months. The documentation explains the problem and ways to solve it: Refreshing Long-Lived Tokens. I extract quite a few explanatory paragraphs:

Even the long-lived access token will eventually expire. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.


You should, in general, not use the same long-lived tokens on more than one web client (i.e. if the person logs in from more than one computer.) Instead you should use the long-lived tokens on your server to generate a code and then use that to get a long-lived token on the client. Please see below for information Generating long-lived tokens from server-side long-lived tokens

In my case I have not needed to look into this at the moment; it's not very costly for me to renew manually the token.