Permissions API

From Facebook Developers Wiki

With the permissions API, an application can authorize another application to call certain API methods on its behalf. The application can revoke this access whenever necessary. At this time, the permissions API allows applications to grant others access to three methods under the admin namespace:

• admin.getAppProperties
• admin.getAllocation
• admin.getDailyMetrics

More methods and namespaces will be added to the list going forward as needed.

You can specify which of these API methods and/or namespaces are accessible within the application. For example, application A can choose to have application B gather certain stats for it by giving it permission to call admin.getDailyMetrics on its behalf, or it can just grant B permission to call all admin namespace methods by granting permission for admin. This implies permission to call the three allowed methods. Note that:

• Any API method that involves accessing users' data will not be called by some other application on an application's behalf. This is because these API methods must abide by the trust users have in the application that they have installed, and they have not authorized the application to transfer that trust to another application.
• Any methods that are too powerful or have potential of misuse will not be allowed. For example, admin.setAppProperties will never be open to the permissions API.

Be aware that the permissions API provides a unique ability to ease some work for applications and is very powerful. So permissions should be granted to other applications with utmost care.

[edit] Managing Access to an Application

There are four API methods that allow applications to grant, check, and revoke access to API methods and namespaces:

• permissions.grantApiAccess
• permissions.checkAvailableApiAccess
• permissions.revokeApiAccess
• permissions.checkGrantedApiAccess

[edit] Calling an API on Another Application's Behalf

An API call is considered to be on behalf of another application if the request contains a parameter call_as_apikey with the value equal to the API key for the application on whose behalf you want to make the request.

To simplify this, we have added a permissions_mode to the PHP client library. We have added two methods and a property to the FacebookRestClient class.

• public function begin_permissions_mode($permissions_apikey);
• public function end_permissions_mode();
• public $call_as_apikey;

When you are using the client library, you just have to make sure you call begin_permissions_mode before starting making calls on another application’s behalf, and call end_permissions_mode when done. API calls for methods to which you are not allowed to grant access will fail while you are in permissions mode.