Facebook App Keys

Description

General

• Documentation: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
• Summary: Facebook access tokens are strings used for identification and are of three types: either to identify a user, an application, or Page. Application access tokens are used to modify and read app settings. They can also be used to publish Open Graph actions. They are generated using a pre-agreed secret between the app and Facebook and is then used during calls that change app-wide settings.
• IPs allowlist: This feature is not available.
• Scopes: App access tokens are only limited to access and modify application data (no reach on users, pages, or clients).

Revoke the secret

There is no direct information on how to revoke app access token.

Check for suspicious activity

Facebook API has access to an AppEventLogger class in order to monitor various activities (see here).

Details for Facebook app keys

• Family: Api

• Category: Social network

• Company: Facebook

• High recall: False

• Validity check available: True

• On-premise instances exist: False

• Only valid secrets raise an alert: True

• Minimum number of matches: 2

• Occurrences found for one million commits: 45.8

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r|m)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - facebook  - fb(-|_)?(client|app|id|key|secret)- type: BanMinifiedPreValidator  threshold_minified: 0.8

Examples

- text: >    facebook String appId = "294790898041575"; String appSecret = "ce3f9f0362bbe5ab01dfc8ee565e4372"  client_id: "294790898041575"  client_secret: "ce3f9f0362bbe5ab01dfc8ee565e4372"- text: >    String fb_id = "294790898041575"; String fb_secret = "ce3f9f0362bbe5ab01dfc8ee565e4372"  client_id: "294790898041575"  client_secret: "ce3f9f0362bbe5ab01dfc8ee565e4372"