Facebook Error: "The client token cannot be used for this API" - works on DEV and STAGE but not on LIVE app?

Question

I've built a notification sending system that sends notifications to all users of our app, using the app access token. This system is currently running on my localhost. When I configure it with the appid and appsecret for my dev and stage environments, it works fine. But when I put in the appid and appsecret of the LIVE app, I get this error:

{"message":"The client token cannot be used for this API", "type":"OAuthException", "code":190}

So what's different between dev and live? Dev and Stage are in sandbox mode, Live is not. So I tried disabling sandbox mode on Dev/Stage and they continue to function fine. Dev works fine, Stage works fine, Live gives this error. All other code is the same except for the appid, appsecret, and redirect_uri (changing it to match the domain of each environment).

I have checked this post, but unfortunately resetting our appsecret on a site with 1,000,000 users is not something we can do at the moment (too much other functionality relies on it).

Answer 1

You need to reset the client token, not the app secret - the error message means that at some point your app was set to 'desktop / native' (as opposed to 'web') under 'App Type' -

Previously this meant that your app access token was embedded in your client code and thus not to be trusted for making app-signed requests.

If your client token is identical to the app secret (which it will be if you've never changed it) Facebook still considers it to be unsafe to trust; you'll need to change the client token, which is under Advanced settings, Security: