Hello community,
Currently, my application uses an authentication endpoint that directly passes user credentials to obtain a token. However, I am aware that this approach is not secure, and I am considering migrating to OAuth.
I would like to understand how I can implement OAuth in this specific endpoint while ensuring compatibility with tokens already generated by the application.
The current endpoint looks like this:
import requests
url = "https://b-graph.facebook.com/auth/login"
headers = { 'x-fb-connection-quality': 'EXCELLENT', 'x-fb-connection-type': 'WIFI', 'user-agent': 'Dalvik/2.1.0 (Linux; U; Android 12; Pixel 3 Build/SP1A.210812.016.C2) [FBAN/Orca-Android;FBAV/412.0.0.15.69;FBPN/com.facebook.orca;FBLC/en_US;FBBV/481775700;FBCR/Verizon;FBMF/Google;FBBD/google;FBDV/Pixel 3;FBSV/12;FBCA/arm64-v8a:null;FBDM/{density=2.75,width=1080,height=2028};FBBK/1;FBLR/0;FB_FW/1;]', 'x-tigon-is-retry': 'False', 'x-fb-http-engine': 'Liger', 'x-fb-client-ip': 'True', 'x-fb-server-cluster': 'True', 'x-fb-device-group': '7991', 'x-fb-sim-hni': '311390', 'x-fb-net-hni': '311390', 'x-fb-request-analytics-tags': 'unknown', 'authorization': 'OAuth null', 'content-type': 'application/x-www-form-urlencoded', 'x-fb-friendly-name': 'authenticate', }
data = { 'access_token': '256002347743983|374e60f8b9bb6b8cbb3.........', 'adid': '2c4afb4e174A84Ea', 'api_key': '25600.........', 'client_country_code': 'US', 'community_id': '', 'cpl': 'true', 'credentials_type': 'password', 'currently_logged_in_userid': '0', 'device_id': '9047e4fc-eceb-438b-8f67-aa694fafbb20', 'email': [...]', 'enroll_misauth': 'false', 'fb_api_caller_class': 'AuthOperations$PasswordAuthOperation', 'fb_api_req_friendly_name': 'authenticate', 'format': 'json', 'generate_analytics_claim': '1', 'generate_machine_id': '1', 'generate_session_cookies': '1', 'jazoest': '22621', 'locale': 'en_US', 'meta_inf_fbmeta': 'NO_FILE', 'password': '#PWD_MSGR:1:1705810723:AYOghZx3lG7MDND1yGEAAXCX3pkimdUSGPOGcnKDF+MUs9uB3rGuWQVyRCT1d44GIQMbqfhs71COieDt16JTy5zincTh5tVRvV4uTA3CIH1UNyHUtM8K3W8lZCcQEUZstsgx/YNlHjY4pcOs9b/xsjsF7OxGAr2mnCVtGinbXYxFjPHJcar9yFMhQ4ClKo74qJdGu4o0ZO4eRfMyjI4uHlgPWjzHMlntmP98jtIYKA5OW2fVCHFjrYsmv+scYS174lMvHaqOkM1ep2qqYW3NeTLM6OUZTvVap4maP6Q8xB4Z8mB7bh+rWmnD..........aQd68KC9nnjl1t3zTDEdw9qpq39cLOITnXRnnGWGcgMISvpqMWxb6ywFF30U4J5lbKYcmtqAr02OSw==', 'secure_family_device_id': '', 'sig': '30dd2df36ed4eb23397f9ea695f.....b', 'source': 'login', 'try_num': '1', }
response = requests.post(url, headers=headers, data=data)
print("Response Status Code:", response.status_code) print("Response Text:", response.text)
My intention is to transition to a more secure approach using OAuth while ensuring that the application continues to work with the same token that this route generates.
Any suggestions or guidance on how I can efficiently and securely make this transition would be greatly appreciated. Thank you in advance!

I am using the WhatsApp Business API for a chatbot. I am writing an app review for whatsapp_business_messaging but it keeps getting rejected. Following is the note from the reviewer

Hi,While reviewing the submission we found that the Send and receive messages,Managing customer accounts are not shown in the screencasts, please recheck and submit.

The screencast that was submitted showcased sending and receiving of messages (conversation with the bot). However, I am not able to understand the meaning of "Managing customer accounts". Can anyone please help me out here?

For reference:

Review feedback for whatsapp_business_messaging permission -

App rejected - Unable to determine use case details Developer Policy 1.9 - Build a quality product We were unable to approve your request for this permission because the explanation of your app's use case was unclear. To resolve this issue, please provide a valid use case with a revised screencast or notes that explain the following items:

1. Which app function requires the requested permission.
2. How the requested permission will enhance your app's functionality and integration.
3. How the requested permission will enhance the end user's experience. You should also make sure that the screencast submitted is the correct video for the app before you re-submit for review. For more information, you can also view our App Review introduction video and App Review Rejection Guide. Notes from your reviewer: Hi,While reviewing the submission we found that the Send and receive messages,Managing customer accounts are not shown in the screencasts, please recheck and submit.

Following is the description of the permission usage that I have written:

The whatsapp_business_messaging permission will be used for sending out the responses to the user. These responses will be created by our Large Language Model (LLM) backend and get sent back to the user using the whatsapp_business_messaging permission. The “/messages” endpoint will act like a mailman to deliver messages to the user. The requested permission will help in developing a two-way communication with the end user allowing them to have an interactive experience with the chatbot. We will leverage the whatsapp_business_messaging permission to promptly respond to user queries in real-time, facilitating a smoother and more user-friendly interaction via WhatsApp.

Hi When i try to create a facebook app with link to a business, it show the above generic error, the app was created but no business account tie to it. Without that, i was unable to setup Whatsapp API for the app.

For our Facebook App, we have followed the below URL for getting access tokens for Instagram Business User/Creator
https://developers.facebook.com/docs/instagram/business-login-for-instagram/
After getting a short lived token, we exchanged that for a long lived token. The token debugger tool as well as token debug api shows Expires value for these tokens as 0 (Never).
However we have a substantial quantity of users for which when we are trying to query the Media, we are getting the following error (Around 10% of our connected Users)
"Error validating access token: The session has been invalidated because the user changed their password or Facebook has changed the session for security reasons."
Is it possible that 10% of our users (around 700-800) could have changed their Instagram password ?
The long lived token documentation says that :
"When you use the iOS, Android, or JavaScript SDK, the SDK will automatically refresh tokens if the person has used your app within the last 90 days. Native mobile apps using Facebook's SDKs get long-lived User access tokens, good for about 60 days. These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token."
We are not using any SDK. Neither for authentication, nor for fetching Media. Mostly communicating with Facebook using REST API to graph.facebook.com utilizing the access_token.
The login flow is standard through our React App. No SDK. Just JS and URL redirect and stuff.
"These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers".
What does the above statement mean ?
If I make a call to Facebook Graph API (through REST API) using stored user Access token to fetch media, once every 90 days, does that satisfy above requirement ?
Do I need to use any SDK (JS/Python) to fetch Media, once every 90 days ?

Hello all, Since a couple of weeks, when fetching the plays for a reel, the api is only giving us the "initial plays" metric and not the total plays = initial plays + replays, which is consistent with the documentation but not with recent changes in the app and business meta suite where now the main metrics are the plays. Do you know when those metrics would be available through the API ? Thanks