Malformed Facebook Access Token

Question

I'm trying to use the Facebook Graph API to grab photo albums from Facebook and place them on a website I'm working on. I am using PHP as my language with the Codeigniter framework and am redirecting to a Facebook URL to get an access token for the user. Facebook returns an access token to me and I grab it and insert it into my database.

That being said, when I try to grab the JSON data for the photo album by going to to a the graph URL, it returns an error. The graph URL and error are:

https://graph.facebook.com/1298926000574/photos?access_token=[MY ACCESS TOKEN]

My access token: AQBxqdB64GHNTGY5Yp_IOuMY7NerwNtXVVrp2HwT1qXj02zqU-63KJDyB2jzqurlJ4M0vd7TAu7upA6T7ZYQzIChr2PgD1dpu-6Iebi0WVILbBSBOu-yj7sgcHSGS-Ew4Yio0I9In-1O5jOxbYLDMbI0Zmwk-F1-u-7a8iVvTJram8PvpmdRt5eg

Returned error:

{
"error": {
  "message": "Malformed access token [MY ACCESS TOKEN]",
  "type": "OAuthException",
  "code": 190
}
} 

I'm really unsure why Facebook keeps returning this error to me. The access token is quite long and I'm storing it in my database as a "text" field. I followed their instructions and now they are shooting me in the foot. Any help would be much appreciated.

Answer 1

tl;dr

The access token should consist of your app id and your access token with a pipe (|) character between them: 123456789012345|AbCDefGHijKLMNOpqRSTUVwxYZ.

Creating and using an access token

Note: In this tutorial I use only dummy credentials. They will be in the same style as real ones would be but their exact value is just a series of incremented numbers or characters. Never post your actual credentials online!

Creating an access token

Requirements:

• App id: 123456789012345
• App secret: ZYxwVUTSRqpONMLKjiHGfeDCbA

If you follow the access token creation guide you will find this URL where you can create one:

GET /oauth/access_token?client_id={app-id}&client_secret={app-secret}&grant_type=client_credentials

If we insert in our dummy credentials the GET request's URI should look like this:

 http://graph.facebook.com/oauth/access_token?client_id=123456789012345&client_secret=ZYxwVUTSRqpONMLKjiHGfeDCbA&grant_type=client_credentials

The response will be:

{
  "access_token": "123456789012345|AbCDefGHijKLMNOpqRSTUVwxYZ",
  "token_type": "bearer"
}

The access token consists of your app id followed by a pipe (|) then the string that could be called the actual access token.

Using the access token

Requirements:

• Access token: 123456789012345|AbCDefGHijKLMNOpqRSTUVwxYZ
• Whatever other credential you need. User id in this example: 1234567890

In this example I will follow the official facebook guide on sending notifications. They showed this template:

POST /{recipient_userid}/notifications?access_token=... &template=...&href=...

That means, after you fill in your credentials an example POST request should look like this:

http://graph.facebook.com/1234567890/notifications?access_token=123456789012345|AbCDefGHijKLMNOpqRSTUVwxYZ&template=Test&ref=notif_test

Answer 2

I had this same problem and I found this post searching for a solution. I noticed that 'our' access token had a lot of odd symbols, while others are just an Alphanumeric string.

I believe that the mistake you (and I) made was mixing the code with the access_token

After sending the facebook user to your api to confirm access, they get returned to your website with $_GET['code']. This code needs to be verified with Facebook, who will return the access_token on success.

$app_id = [YOUR_APP_ID];
$app_secret = [YOUR_APP_SECRET];
$my_url = [THE_SAME_AS_THE_POST_BEFORE];
$code = $_GET['code'];

$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;

$response = file_get_contents($token_url);
$params = null;
json_decode($response, $params);
$access_token = $params['access_token'];

More info about fetching an access_token with PHP

More info about using the correct redirect_uri

Answer 3

You are sending code instead of access_token in your request.

The solution for Laravel Socialite users:

Use:

$response = Socialite::driver($provider)->getAccessTokenResponse($request['code']);
$user = Socialite::driver($provider)->userFromToken($response['access_token']);

Instead of:

$user = Socialite::driver($provider)->user();

Answer 4

As error says it's malformed exception means error in formatting the request.

https://graph.facebook.com/me/photos/?access_token=[your_accesstoken]

So it would be like

https://graph.facebook.com/me/photos/?access_token=AQBxqdB64GHNTGY5Yp_IOuMY7NerwNtXVVrp2HwT1qXj02zqU-63KJDyB2jzqurlJ4M0vd7TAu7upA6T7ZYQzIChr2PgD1dpu-6Iebi0WVILbBSBOu-yj7sgcHSGS-Ew4Yio0I9In-1O5jOxbYLDMbI0Zmwk-F1-u-7a8iVvTJram8PvpmdRt5eg

Answer 5

One wp plugin was returning same error, and this was the solution, it may be related to your problem:

Php requests the access_token, and facebook servers return it.

The returned message containing access_token USED to be a like:

access_token=.......

But for newly created applications (2012), facebook servers return:

access_token=.....&expires=.....

If your code is parsing this wrongly, as in

$access_token=str_replace('access_token=','',$message);

then your $access_token wrongly contains the extra &expires etc.

it should be parsed like:

parse_str($message,$ar); $access_token=$ar['access_token'];

Answer 6

I had the same problem. Figured how it's working and here's for anyone who's sinking in the same mud.

require 'facebook-php-sdk/facebook.php';
$facebook = new Facebook(array(
  'appId'  => 'APP ID',
  'secret' => 'SECRET KEY',
));

// Get User ID
$user = $facebook->getUser();  
if ($user) {
    $accessToken = $facebook->getAccessToken();
        try {
            $url = "https://graph.facebook.com/1298926000574/photos?access_token=".$accessToken;

            $photos = $facebook->api($url);
            var_dump($photos);
        } catch (FacebookApiException $e) {
            $user = null;
        }
    }   
} else {
    //echo "You need to login";
    header("Location:".$facebook->getLoginUrl());
}