FeaturesHow It WorksPricingIntegrationsBlogGlossary
Log InGet Started Free
← Back to blog
May 9, 2026

How to Get and Use a Facebook Access Token in 2026

A complete, step-by-step developer guide on how to generate a Facebook Access Token using the Graph API Explorer. Updated for 2026.

James Holloway·Web Development Lead
facebookgraph apideveloper guide
How to Get and Use a Facebook Access Token in 2026

How to Get and Use a Facebook Access Token in 2026

If you are trying to build anything that connects to Facebook's Graph API—whether it is a social media dashboard, a website feed widget, an analytics pipeline, or a custom automation—you will need a Facebook Access Token. Without one, the API will not respond. With the wrong type, you will hit permission errors or token expiry walls at the worst possible moment.

This guide walks you through the full process: what access tokens are, how to generate each type using the Graph API Explorer, and how to extend them so they do not expire after two hours and break your production integration.

What is a Facebook Access Token and Why Do You Need It?

A Facebook Access Token is a credential that authenticates your application's requests to the Graph API. Think of it as a temporary password that proves to Facebook's servers that the user or page has authorized your app to act on their behalf.

Without a valid token, every API call you make will return an error. With the right token and correct permissions, you can:

  • Read posts, photos, and videos from a Page or User.
  • Publish content programmatically to a Page.
  • Retrieve insights and analytics data.
  • Access Instagram Business account data (via the Facebook Graph API).

There are three main types of access tokens you will encounter:

Token Type Issued To Typical Expiry Common Use Case
User Token An individual Facebook user ~60 days (short-lived: 2 hours) Reading user profile, feed
Page Token A Facebook Page Never expires (long-lived) Publishing to a Page, reading Page data
App Token Your application Never expires Server-to-server requests, analytics

Step 1: Creating a Facebook Developer App

Before you can generate any token, you need a registered Facebook Developer application. This is the container that holds your permissions, webhooks, and credentials.

  1. Navigate to developers.facebook.com and log in with your Facebook account.
  2. Click "My Apps" in the top-right corner, then click "Create App".
  3. Select the app type that matches your use case. For most website integrations, choose "Business" or "Consumer".
  4. Enter your app's display name and a contact email address, then click "Create App".
  5. Once created, you will land in the App Dashboard. Note your App ID and App Secret — you will need these later.

Adding the Required Products

In the App Dashboard left sidebar, click "Add Product" and add the following based on your needs:

  • Facebook Login — Required if you need User Tokens.
  • Instagram Graph API — Required if you plan to access Instagram Business data.

Step 2: Navigating the Graph API Explorer

The Graph API Explorer is Meta's official browser-based tool for testing API calls and generating access tokens. It is the fastest way to get a working token without writing any code.

  1. Go to developers.facebook.com/tools/explorer.
  2. In the top-right dropdown, select your App from the list.
  3. Click "Generate Access Token".

A popup will appear asking you to log in with Facebook and grant the permissions your app has requested. After authorizing, a short-lived User Access Token will appear in the token field.

Selecting the Right Permissions (Scopes)

Before generating the token, configure the permissions you need by clicking "Add a Permission" in the Explorer. Common permissions include:

  • pages_read_engagement — Read posts and engagement data from Pages you manage.
  • pages_manage_posts — Publish content to Pages.
  • instagram_basic — Read basic data from a connected Instagram Business account.
  • read_insights — Access Page and post-level analytics.

Important: Only request permissions you actually need. Facebook's app review process will reject apps that request excessive scopes without a clear justification.

Step 3: Generating User, Page, and App Tokens

Generating a User Token

After clicking "Generate Access Token" and completing the authorization flow, the Explorer displays your short-lived User Token (valid for approximately two hours). Copy this value—you will use it to generate the other token types.

Generating a Page Token

Page Tokens are far more useful for long-term integrations because they provide persistent access to Pages you manage.

In the Graph API Explorer, with your User Token active:

  1. In the API endpoint field, type: me/accounts
  2. Click "Submit".
  3. The response will list every Page you manage, along with an access_token field for each. This is your Page Access Token.

Page Tokens obtained via a long-lived User Token do not expire—making them ideal for server-side integrations.

Generating an App Token

App Tokens are used for server-to-server requests that do not require a user context. You can generate one without the Explorer by making an HTTP GET request:

GET https://graph.facebook.com/oauth/access_token
  ?client_id={your-app-id}
  &client_secret={your-app-secret}
  &grant_type=client_credentials

The response will contain an access_token field. Store this securely on your server—never expose App Tokens in client-side JavaScript or public repositories.

How to Extend Token Expiration (Long-Lived Tokens)

The short-lived User Token you generate in the Explorer expires after about two hours, which makes it useless for any automated integration. You must exchange it for a long-lived token (valid for 60 days) before using it in production.

Exchanging a Short-Lived Token for a Long-Lived Token

Make the following server-side HTTP request:

GET https://graph.facebook.com/oauth/access_token
  ?grant_type=fb_exchange_token
  &client_id={your-app-id}
  &client_secret={your-app-secret}
  &fb_exchange_token={short-lived-user-token}

The response returns a new access_token with an expires_in value of approximately 5,184,000 seconds (60 days).

Refreshing Long-Lived Tokens

Long-lived tokens do not auto-renew. Before the 60-day window closes, your application should prompt the user to re-authorize, which will generate a new long-lived token. Build this refresh flow into your application's authentication logic from day one to avoid unexpected API failures.

Permanently Valid Page Tokens

If you exchange a long-lived User Token for a Page Token using the me/accounts endpoint, the resulting Page Token will never expire—as long as the user who authorized it retains admin access to the Page. This is the recommended pattern for stable website integrations.

Security Considerations

  • Never commit access tokens to version control. Use environment variables or a secrets manager.
  • Store App Secrets server-side only. Exposing them in client-side code allows anyone to impersonate your app.
  • Use the Token Debugger (developers.facebook.com/tools/debug/accesstoken) to inspect a token's validity, expiry, and granted permissions before deploying.

Skip the Token Headache Entirely

Managing Facebook access tokens—generating them, refreshing them before they expire, and handling API errors when they don't—is a significant ongoing maintenance burden. One expired token can break a live website integration with no warning.

WidgetJar's Facebook Feed Widget handles all token generation and renewal automatically on our end. You connect once, and your live Facebook feed stays on your website indefinitely—no token management required.

Try WidgetJar's Facebook Feed Widget for free →