Are there different types of app access tokens?

Question

The documentation for Real-time Updates says:

In all cases, you must send an OAuth Application access_token. App access tokens are obtained using your App ID and your App Secret:

https://graph.facebook.com/oauth/access_token?client_id=<APP_ID>&client_secret=<APP_SECRET>&grant_type=client_credentials

I have done this and got back a string of the form access_token=<APP_ID>|<String1>-<String2>.

On the other hand, The method BaseFacebook::getApplicationAccessToken() from the Facebook PHP SDK simply concatenates the App ID with the App Secret (which looks like a number with a 32-digit hexadecimal representation) using "|" as separator:

/**
 * @return string The application access token, useful for gathering
 *                public information about users and applications.
 */
protected function getApplicationAccessToken() {
  return $this->appId.'|'.$this->appSecret;
}

What different purposes do these two kinds of app access tokens serve? Are they interchangeable?

Answer 1

Are they interchangeable?

My guess is, that they are; that both will get accepted as an app access token for your app and will give you exactly the same rights to do stuff with.

The PHP SDK already knows your app id, since you've initialised the Facebook object instance with it – so no harm in using the „simple” version of building an access token there. (And to give away the other way of creating app access tokens, that the Graph API endpoint uses here would be stupid, because everyone can have a look inside the code.)

On the other hand, there might be cases where your app access token has to be used outside of your control(?), so they provide the first version too, so that you don't have to give away your app secret.