When is Facebook App Review required, and what limitations will be enforced if an app is not reviewed?

Question

I've been battling with the (apparently quite common...) problem of getting hold of a permanent page access token for a Facebook Page of mine, so that I can post stuff to the feed of this page using an external app.

While researching this, I finally found this excellent tutorial for how to accomplish that.

When I try to get an Access Token with the "Extended Permission" called "manage_pages" (as mentioned in step 1.5 in the above linked tutorial), Facebook shows me an ugly red warning though, saying:

Submit for Login Review - Some of the permissions below have not been approved for use by Facebook

and also a padlock with the text

This does not let the app post to Facebook

appears at the same time a bit below in the dialog, as per follows:

The first confusing part is that there is still an "Okay" button in the dialog, and if I press it the procedure just moves forward without any more warning messages. "Okay" I thought to myself, "maybe it just removed the permissions in question automatically then".

The second confusing part though is that when I debug the resulting access token (using the Debug button in the Graph API Explorer), it does indeed report having all the permissions I requested (manage_pages, publish_actions and publish_pages).

The third and most of all confusing part is that if I use the page access token (resulting from the linked tutorial above) from my third-party application (a Python script issuing raw HTTP requests to the Graph API), it does indeed successfully post entries to the page's feed?!

At this point I'm utterly confused about what this review warning message was about to begin with (not to mention why there would be such a policy at all, preventing me from creating non-reviewed test apps that only post stuff to my own page?), so if anyone would be so kind as to explain this as clearly as possible, I (and most likely a lot of other people too) would be very grateful.

Answer 1

I'm confused why you make this so complicated. The answer you linked already contains all the info for the case you need a permanent page access token. The only thing you need is an simple app for this one-time purpose.

There's no need for this app to undergo Login Review if you don't want to authenticate other users than admins/testers/developers of this app, which I hardly doubt from what you wrote.

See

• https://developers.facebook.com/docs/apps/faq#roles

My app is only used by a small number of people, who are all listed in the Role section of the App Dashboard - do I need to go through Login Review?

• No, it does not have to be reviewed. If your app is only used by a very limited number of people - for example, to use the Facebook for Wordpress plugin to publish to your profile - it's completely normal to list them all as having different roles in your app's dashboard. They can be listed as Admins, Developers or Testers

• To enable you to develop and fully test your app, anyone listed in the Role section of your app's dashboard can be granted any permission necessary to test without review by Facebook. The purpose of Login Review is to protect the experiences of regular people who may interact with your app. Directly adding a small set of well-known people directly to your app is used for software development, testing and small application deployments.