Skip to content

Facebook Access Token

Service Name: Facebook (Meta)

Service Description: Facebook is a social media platform owned by Meta Platforms that allows users to connect, share content, and interact with friends, family, and businesses. Access tokens are used to authenticate API requests to Facebook's Graph API.

Service Address: https://facebook.com

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the app level in the Facebook Developer Portal.

Secret Access Scope: Grants programmatic access to Facebook's Graph API with permissions based on the token type and requested scopes. Can access user data, post content, manage pages, or access other Facebook resources depending on the permissions granted.

Secret Revokement URL: https://developers.facebook.com/tools/accesstoken/

Secret Example: EAAZAw4KGgwBABAJ72ZCRFxZAIhXW6v9HrZAIWXCxmUkJqjdXYqZBrV2eZBZCnZBZCZAIWXCxm UkJqjdXYqZBrV2eZBZCnZB

Suspicious Activity Investigation Instructions:

  • Use the Facebook Graph API Debug tool to check token details and permissions: https://developers.facebook.com/tools/debug/accesstoken/
  • Review app activity logs in the Facebook Developer Portal
  • Check for unauthorized posts, messages, or data access
  • Review recent API calls made with the token
  • Examine the IP addresses and locations where the token has been used

Mitigation Instructions:

  • Immediately revoke the compromised token through the Facebook Developer Portal
  • Generate a new access token with appropriate permissions
  • Review and potentially reduce the permissions scope for the application
  • Enable app review for sensitive permissions
  • Implement token rotation and shorter expiration times
  • Update your application to use the new token
  • Consider implementing IP restrictions for your Facebook application
  • Review Facebook's security best practices: https://developers.facebook.com/docs/facebook-login/security/