Skip to main content

Facebook App Keys

Description#

General#

  • Documentation: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
  • Summary: Facebook access tokens are strings used for identification and are of three types: either to identify a user, an application, or Page. Application access tokens are used to modify and read app settings. They can also be used to publish Open Graph actions. They are generated using a pre-agreed secret between the app and Facebook and is then used during calls that change app-wide settings.
  • IPs allowlist: This feature is not available.
  • Scopes: App access tokens are only limited to access and modify application data (no reach on users, pages, or clients).

Revoke the secret#

There is no direct information on how to revoke app access token.

Check for suspicious activity#

Facebook API has access to an AppEventLogger class in order to monitor various activities (see here).

Details for Facebook app keys#

  • Category: Social network

  • Company: Facebook

  • High recall: False

  • Validity check available: True

  • Only valid secrets raise an alert: True

  • Minimum number of matches: 2

  • Occurrences found for one million commits: 38.39

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - facebook  - fb(-|_)?(client|app|id|key|secret)- type: BanMinifiedPreValidator  threshold_minified: 0.8

Examples#

- text: >    facebook String appId = "294790898041575"; String appSecret = "ce3f9f0362bbe5ab01dfc8ee565e4372"  client_id: "294790898041575"  client_secret: "ce3f9f0362bbe5ab01dfc8ee565e4372"- text: >    String fb_id = "294790898041575"; String fb_secret = "ce3f9f0362bbe5ab01dfc8ee565e4372"  client_id: "294790898041575"  client_secret: "ce3f9f0362bbe5ab01dfc8ee565e4372"