Updates

This week we launched the ability for developers signing up for Facebook Credits to have the option to use PayPal as a payout option.

Breaking change: Graph API PROFILE_ID/feed and PROFILE_ID/posts requires access_token

The Graph API PROFILE_ID/feed/ for a Page, Application, User or Group and PROFILE_ID/posts for a Page or User will now require a vaild access_token to access the wall or posts of the corresponding object (where previously no access_token was required). This will also affect direct FQL queries to the stream table, when querying for posts on a wall.

You will need to pass a valid app or user access_token to access this functionality. Please update your code if you are calling this API without an access token. This change will go live a week from today – Friday(June 3rd). We have updated the Roadmap to reflect this change.

Moving forward, you should always pass a valid app or user access_token with all API requests.

Graph API to Tag photos

As part of our effort to bring the Graph API up to parity with REST this week we added support for reading, writing and updating tags on a photo via Graph API.

• You can now get tags on a photo by issuing a HTTP GET request to PHOTO_ID/tags.
• You can create a tag on the photo by issuing an HTTP POST request to the tags connection, PHOTO_ID/tags. You can specify which user to tag using two methods: in the URL path as PHOTO_ID/tags/USER_ID, or in a URL parameter as PHOTO_ID/tags?to=USER_ID with the publish_stream permission.
• Finally you can update the position of an existing tag for a particular user in the photo by issuing a HTTP POST request to /PHOTO_ID/tags/USER_ID or PHOTO_ID/tags?to=USER_ID with updated x and y coordinates with the publish_stream permission.

Note: This feature is intended to help users tag their friends in real photos. You should not use this feature to encourage users to tag their friends if their friends are not actually in that photo, or to tag friends in composite photos. If your app is find to be encouraging this behavior, your usage of this feature may be disabled. Please see the Photo reference doc for more information.

Here is a code sample that enables you to get a user’s photo, add a new tag to it and then updates the position coordinates of the tag.

<?php 

  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET"; 
  $my_url = "YOUR_POST_LOGIN_URL";

  $friend_to_tag_id= "ID_OF_FRIEND_TO_TAG";
  $x_coordinate = "X_COORDINATE_OF_TAG";
  $y_coordinate = "Y_COORDINATE_OF_TAG";
  $x_new_coordinate = "NEW_X_COORDINATE_OF_TAG";
  $y_new_coordinate = "NEW_Y_COORDINATE_OF_TAG";

  //authentication with publish_stream, user_photo_video_tags permission
  $code = $_REQUEST["code"];
  if(empty($code)) {
    $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
    . $app_id . "&redirect_uri=" . urlencode($my_url) 
    . "&scope=publish_stream,user_photo_video_tags";
    echo("<script>top.location.href='" . $dialog_url . "'</script>");
  }

  $token_url = "https://graph.facebook.com/oauth/access_token?client_id="
    . $app_id . "&redirect_uri=" . urlencode($my_url) 
    . "&client_secret=" . $app_secret 
    . "&code=" . $code;
    $response = file_get_contents($token_url);
    $params = null;
    parse_str($response, $params);
    $access_token = $params['access_token'];
  
  //get the user's photos and photo_id for the first pictre
  $post_url = "https://graph.facebook.com/me/photos?"
  . "access_token=". $access_token;
  $response = file_get_contents($post_url);
  $decoded_response = json_decode($response);
  $photo_id = $decoded_response->data[0]->id;
  

  //Tag friend_to_tag_id at position (x_coordinate, y_coordinate)
  $post_url = "https://graph.facebook.com/"
   .$photo_id . "/tags/" . $friend_to_tag_id 
   . "?access_token=". $access_token
   . "&x=" . $x_coordinate . "&y=" . $y_coordinate . "&method=POST";
  $response = file_get_contents($post_url);
  
  if ($response) 
  {
            //Print the tag we just added
 	show_tag_info($photo_id, $friend_to_tag_id, $access_token);

          //Update the x and y coordiates of the user_id
           $post_url = "https://graph.facebook.com/"
           .$photo_id . "/tags/" . $friend_to_tag_id 
           . "?access_token=". $access_token
           . "&x=" . $x_new_coordinate . "&y=" . $y_new_coordinate 
           . "&method=POST";
          $response = file_get_contents($post_url);

           //Print the tag we just updated
  	 show_tag_info($photo_id,$friend_to_tag_id, $access_token);
   } 

  else echo("errors");

//Function to print the tag information for friend_to_tag_id
  function show_tag_info($photo_id, $friend_to_tag_id, $access_token)
  {	
    //get the tags on the picture
    $post_url = "https://graph.facebook.com/"
    . $photo_id ."/tags?access_token=". $access_token; 
    $response = file_get_contents($post_url);
    $decoded_response = json_decode($response);

 //get the tag for friend_to_tag_id and display its coordinates
    foreach ($decoded_response->data as $tag)
    {
   	 $user_id = $tag->id;
	 if ($user_id==$friend_to_tag_id) break;
    }

    $x = $tag->x;    $y = $tag->y;
    $text= "user id= " . $user_id . " x = ". $x . " y = ".  $y;
    echo ($text . “<br/>);
 }
?>

Sample result

user id= 499324276 x = 20 y = 30
user id= 499324276 x = 40 y = 50

Graph API to get user’s video_upload_limits

We also added support to the Graph API where you can now get video_upload_limits for a specific user by issuing a HTTP GET request to USER_ID?fields=video_upload_limits with the appropriate access token.

https://graph.facebook.com/USER_ID?fields=video_upload_limits
          &access_token=ACCESS_TOKEN

See the User reference doc for more information.

Launching Facebook and Games Page

We are launching the Facebook + Games page similar to our Facebook + media page and Facebook + commerce page to share the latest industry news and best practices for the vertical.
Please like the Facebook and Games Page if you wish to stay informed about Facebook Platform games ecosystem and social gaming innovation.

Documentation activity for the past 7 days:

We have been primarily focused on updating Graph API documentation.

• Updated Graph API docs: User, Status Message, and Review.
• Updated FAQs on Like button and Send button to explain the pop-up window issue.

Fixing Bugs

Bugzilla activity for the past 7 days:

• 189 new bugs were reported
• 32 bugs were reproducible and accepted (after duplicates removed)
• 7 bugs were fixed (6 previously reported bugs and 1 new bug)
• As of today, there are 1,353 open bugs in Bugzilla (up 66 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

• 496 New Topics Created
• 208 New Topics received a reply
• 44% received a reply from a community moderator or Facebook employee

Dhiren Patel on the Developer Relations team just tagged himself in a photo via the Graph API.

Handling invalidated access tokens

Last week, we reminded you how you should handle invalid access tokens. This is an important concept to understand as there are several legitimate reasons an access token can become invalid such as:

• its expiration time was reached
• a user changed their password
• a user deauthorized your application
• a user logged out of Facebook
• we invalidated it for security reasons

Even if you have the offline_access permission from the user, your token can still be invalidated. You should ensure you application is built
to handle these scenarios.

New PHP SDK

Today we upgraded the PHP SDK to version 3.0.0. Be sure to read our blog post which explains the changes as well as when you should consider upgrading. Version 2 of the PHP SDK will no longer work come September 1st as we will be requiring all apps to use the new OAuth flows.

Client-side re-authentication flow

A couple weeks ago we introduced a server-side way for you to force a user to re-enter their password to confirm their identity (e.g. before making a purchase on a shared computer). We now have a way to perform re-authentication on the client side as well. To get started, check out the example below or see the documentation.

<html>
<head></head>
<body>
<div id="fb-root"></div>
<button id="fb-login" onclick="login()">Login</button>
<script>
  var button = document.getElementById('fb-login');

  // For help with AJAX, see http://www.w3schools.com/Ajax/Default.Asp
  function checkNonce(access_token) {
    var xmlhttp;
    if (window.XMLHttpRequest)
      {// code for IE7+, Firefox, Chrome, Opera, Safari
      xmlhttp=new XMLHttpRequest();
      }
    else
      {// code for IE6, IE5
      xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      }
    xmlhttp.onreadystatechange=function() {
      if (xmlhttp.readyState==4 && xmlhttp.status==200)
        {
          if (xmlhttp.responseText == 1) {
            console.log('The user has been successfully ' +
                               're-authenticated.');
          } else {
            console.log('The nonce has been used before. ' +
                               'Re-authentication failed.');
          }
        }
    }
    xmlhttp.open('POST','checkNonce.php',true);
    xmlhttp.setRequestHeader('Content-type',
      'application/x-www-form-urlencoded');
    xmlhttp.send('access_token=' + access_token);
  }

  function login(){
    FB.login(function(response) {
      if (response) {
        console.log('Login success. Checking auth_nonce...');
        checkNonce(response.session.access_token);
      } else {
          console.log('Login cancelled.')
      }
    }, { auth_type: 'reauthenticate', auth_nonce: 'abcd1234' });
  }

  window.fbAsyncInit = function() {
    FB.init({appId: 'YOUR_APP_ID', status: true, cookie: true,
             xfbml: true});
    FB.getLoginStatus(function(response) {
      if (response.session) {
        button.innerHTML = 'Re-Authenticate';
        console.log('User is logged in.');
      } else {
          console.log('User is not logged in.');
      }
    });
  };
  (function() {
    var e = document.createElement('script'); e.async = true;
    e.src = document.location.protocol +
      '//connect.facebook.net/en_US/all.js';
    document.getElementById('fb-root').appendChild(e);
  }());
</script>
</body>
</html>

checkNonce.php

<?php

    $access_token = $_REQUEST['access_token'];
    $graph_url = 'https://graph.facebook.com/oauth/access_token_info?'
        . 'client_id=YOUR_APP_ID&access_token=' . $access_token;
    $access_token_info = json_decode(file_get_contents($graph_url));

    function nonceHasBeenUsed($auth_nonce) {
        // Here you would check your database to see if the nonce
        // has been used before. For the sake of this example, we'll
        // just assume the answer is "no".
        return false;
    }

    if (nonceHasBeenUsed($access_token_info->auth_nonce) != true) {
        echo '1';
     } else {
        echo '0';
     }
?>

Old Insights Dashboard

As previously announced, we will remove the old version of the Insights dashboard on Tuesday as all the metrics that were previously available are now available in the new Insights dashboard.

Improving Docs

Documentation activity for the past 7 days:

• 132 docs are under review
• 4 docs were updated (Message, Thread, Photo, Page)

Fixing Bugs

Bugzilla activity for the past 7 days:

• 195 new bugs were reported
• 67 bugs were reproducible and accepted (after duplicates removed)
• 16 bugs were fixed (13 previously reported bugs and 3 new bugs)
• As of today, there are 1,287 open bugs in Bugzilla (up 3 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

• 480 New Topics Created
• 243 New Topics received a reply
• Of those 243, 21 were replied to by a Facebook Employee
• Of those 243, 35 were replied to by a community moderator

Yasser Shohoud, a Partner Engineer on the Developer Relations team, is looking forward to seeing how you use the re-authentication feature to create safe, seamless user authentication flows.

This week, we announced an update to our Developer Roadmap that outlines a plan requiring all apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1. We also added two frequently requested How-To guides.

Subscribing to comment threads in the Comments Box

We added the ability to subscribe and unsubscribe from specific comment threads in the Comments Box. If you are interested in a particular part of the conversation, just click the subscribe link, and you'll receive a notification when others reply on thread. Similarly, you can unsubscribe to stop the notifications.

Like Story Feedback now available in Insights

Last month we expanded the story size that is shown when a user Likes a page on your site. We've now added a "Like Story Feedback" dashboard to Insights for your website. This dashboard shows you engagement data such as how many users liked and commented on these stories:

Using this data you can work on generating more interesting stories to fuel the conversation around your content.

API access to Send button metrics

You can now query the Graph API and the Insights FQL table for metrics on Send button activity. When a user engages with the Send button, one or more of the following sequence of actions occurs: the user views the button, then clicks on it, the receiver then views the item in their Messages, and clicks on it. These actions correspond to the following metrics that can be requested via the Graph API or the FQL table:

• domain_widget_send_views
• domain_widget_send_clicks
• domain_widget_send_inbox_views
• domain_widget_send_inbox_clicks

Each of these metrics is aggregated based on a domain claimed by your application. The FQL Insights documentation contains further details and the list of all available metrics. Here is some example code to retrieve the number of Send button views for a domain for the last three days (the default, see docs for other options):

<?php

  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET";
  $app_domain = "YOUR_APP_DOMAIN"; // e.g. developers.facebook.com

  // First, get a valid access token for the app
  $token_url = "https://graph.facebook.com/oauth/access_token?" .
    "client_id=" . $app_id .
    "&client_secret=" . $app_secret .
    "&grant_type=client_credentials";

  $app_access_token = file_get_contents($token_url);

  // Query the Graph API for the send views
  $graph_url="https://graph.facebook.com/insights/"
    . "domain_widget_send_views?"
    . "domain=" . $app_domain . "&"
    . $app_access_token;

  $response = file_get_contents($graph_url);
    
  // Use the results
  echo "<pre>";
  echo print_r(json_decode($response));
  echo "</pre>";

?>

Reference Documentation

As part of Operation Developer Love, we continue to improve our documentation. This week we updated the Album reference documentation for the Graph API. We plan to update the other Graph API reference docs based on this "template", so please let us know in the comments what you think about it. We will be adding information about errors relevant to the Graph API soon.

Improving Docs

Documentation activity for the past 7 days:

• 137 docs are under review
• 1 updated (Album)
• 2 new “How-To” guides

Fixing Bugs

Bugzilla activity for the past 7 days:

• 181 new bugs were reported
• 30 bugs were reproducible and accepted (after duplicates removed)
• 17 bugs were fixed (15 previously reported bugs and 2 new bugs)
• As of today, there are 1,284 open bugs in Bugzilla (up 62 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

• 511 New Topics Created
• 239 New Topics received a reply
• Of those 239, 32 were replied to by a Facebook Employee
• Of those 239, 51 were replied to by a community moderator

Zhen Fang, on the Developer Relations team, wants to see metrics of how many people sent this post to a friend with the Send button.

Test Users: New response, limit, and password reset feature

Most developers test their apps by generating test users. We recently updated the response to include the test user’s email and password along with the id, access_token, and login_url. In addition, we added the ability to reset passwords via Graph API. We recommend that you either record the password or reset it whenever you need it, as it is only returned when the test user is first created.

Here’s a simple PHP example that creates a new test user, prints out the response, and changes the test user’s password:

<?php
 
  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET";

  $token_url = "https://graph.facebook.com/oauth/access_token?" .
    "client_id=" . $app_id .
    "&client_secret=" . $app_secret .
    "&grant_type=client_credentials";

  $app_access_token = file_get_contents($token_url);

  $graph_url = "https://graph.facebook.com/" . $app_id
    . "/accounts/test-users?installed=true"
    . "&permissions=read_stream&method=post&"
    . $app_access_token;

  $response = file_get_contents($graph_url);
  if($response) {
    $obj = json_decode($response);
    echo "<pre>";
    print_r($obj);
    echo "</pre>";
  } 
  
  //change the password
  $new_password = "YOUR_NEW_PASSWORD";
 
  $graph_url = "https://graph.facebook.com/" . $obj->{'id'}
    . "?password=" . $new_password . "&method=post&" . $app_access_token;

  $response = file_get_contents($graph_url);
  if($response) {
    echo "Password changed successfully.";
  }

?>

Based on your feedback, we have also increased the limit for the number of test users an app can create to 500.

Prompting users to re-authenticate

For many situations (e.g., before a user makes a purchase), developers wanted the ability to confirm a user’s identity by prompting the user to re-type in their password. This prevents a user from purchasing something as someone else in case that user is on a shared computer.

Server-side re-authentication

We have added two additional parameters that you can pass into the authentication request (at https://www.facebook.com/dialog/oauth or https://graph.facebook.com/oauth/authorize):

• auth_type: this parameter specifies the requested authentication features (as a comma-separated list). Valid options are:
• https – checks for the presence of the secure cookie and asks for re-authentication if it is not present
• reauthenticate – asks the user to re-authenticate unconditionally
• auth_nonce: specifies an app-generated alphanumeric nonce which can be used to provide replay protection. This parameter is option, but apps are strongly encouraged to use it especially when requesting reauthenticate as auth_type

Here’s a PHP example of authenticating and re-authenticating a user:

<?php 
  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET";
  $my_url = "YOUR_APP_URL";
  $auth_nonce = "YOUR_AUTH_NONCE";

  $code = $_REQUEST["code"];  
 
  //Check to see if reauth button was clicked, 
  //if so prompt re-auth dialog
  if(!empty($_REQUEST['reauth']))
  {
     $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
	   . $app_id . "&redirect_uri=" . urlencode($my_url) 
	   . '&auth_type=reauthenticate&auth_nonce=' . $auth_nonce;

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
  }
  
  if($_REQUEST['error']) { 
      //user did not reauthenticate successfully
      echo $_REQUEST['error'] . ": " . $_REQUEST['error_description'];
      echo '<p>';
      return;
  }

  $token_url = "https://graph.facebook.com/oauth/access_token?" .
	"client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . 
	"&client_secret=" . $app_secret . "&code=" . $code;

  $access_token = file_get_contents($token_url);
  
  $params = null;
  parse_str($access_token, $params);

  if($params['auth_nonce']==$auth_nonce) {	
	  echo("Hello again! You were re-authenticated.");
	  echo '<p>';
	  return;
  }
  
  $graph_url = "https://graph.facebook.com/me?" .
      $access_token;

  $user = json_decode(file_get_contents($graph_url));

  echo("Hello " . $user->name);
  echo '<p>'; 
  
  //Check if code is empty (when user first hits page). 
  //Prompt user to auth.
  if(empty($code)) {
    $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
      . $app_id . "&redirect_uri=" . urlencode($my_url);

    echo("<script> top.location.href='" . $dialog_url . 
      "'</script>");
  }  
?>

<html>
<head></head>
<body>
  <form action="YOUR_APP_URL">
    <input type="hidden" name="reauth" value=”true” />
    <input type="submit" value="Re-authenticate" />
  </form>
</body>
</html>

Improving Reference Docs

Documentation activity for the past 7 days:

• 138 docs are under review
• 4 “How-To” docs

Fixing Bugs

Bugzilla activity for the past 7 days:

• 194 new bugs were reported
• 29 bugs were reproducible and accepted (after duplicates removed)
• 12 bugs were fixed (10 previously reported bugs and 2 new bugs)
• As of today, there are 1,222 open bugs in Bugzilla (up 16 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

• 477 New Topics Created
• 246 New Topics received a reply
• Of those 246, 45 were replied to by a Facebook Employee
• Of those 246, 43 were replied to by a community moderator

Jan Jezabek, a Platform engineer, hopes to see more e-commerce apps on Facebook use the ability to re-authenticate users.

This week we launched the Send button to give users an easy way to privately share content with groups and individuals.

Using the Graph API to get permissions granted
As part of our efforts to transition functionality from legacy REST APIs to the Graph API, we added the ability to retrieve the list of permissions users have granted your app by adding the permissions connection to the User object. Similar to other User object connections, you can query for the list of permissions granted by calling: https://graph.facebook.com/me/permissions?access_token=…

Here is a simple PHP sample to show how to query for which permissions you’ve granted an application:

<?php 

  $app_id = "YOUR_APP_ID";
  $app_secret = "YOUR_APP_SECRET"; 
  $my_url = "YOUR_POST_LOGIN_URL"; 

  $code = $_REQUEST["code"];
  
  if(empty($code)) {
    $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
    . $app_id . "&redirect_uri=" . urlencode($my_url) . "&scope=email";

    echo("<script>top.location.href='" . $dialog_url . "'</script>");
  }

  $token_url = "https://graph.facebook.com/oauth/access_token?client_id="
    . $app_id . "&redirect_uri=" . urlencode($my_url) 
    . "&client_secret=" . $app_secret 
    . "&code=" . $code;

  $access_token = file_get_contents($token_url);
  $graph_url="https://graph.facebook.com/me/permissions?".$access_token;
  echo "graph_url=" . $graph_url . "<br />";
  $user_permissions = json_decode(file_get_contents($graph_url));
  print_r($user_permissions);

?>

Developer Site Latency

On April 26th, we moved the Facebook Developer site from a small, dedicated tier to the same hosts that serve www.facebook.com. As you can see from the graph below, it has increased our site’s performance significantly since the migration.

Improving our Reference Docs

As part of Operation Developer Love, we have a goal to improve and update the Graph API, FQL, XFBML, and SDK reference documentation to ensure that the information is complete with examples, accurate, and verified within the past 90 days. Going forward, we will track and share our weekly progress to keep our team accountable to these efforts to make the Dev Site the best resource for you to build your Facebook app. To receive more frequent updates on particular docs, you can click “Like” at the bottom of each ref doc.

Documentation activity for the past 7 days:

• 138 docs are under review (kicking things off)

Fixing Bugs

Bugzilla activity for the past 7 days:

• 156 new bugs were reported
• 31 bugs were reproducible and accepted (after duplicates removed)
• 12 bugs were fixed (none of which were reported this week)
• As of today, there are 1,206 open bugs in Bugzilla (down 23 from last week)

Forum Activity

Developer Forum activity for the past 7 days:

• 448 New Topics Created
• 199 New Topics received a reply
• Of those 199, 3 were replied to by a Facebook Employee
• Of those 199, 38 were replied to by a community moderator

Please let us know if you have any questions or feedback in the comments below.