What is the length of the access_token in Facebook OAuth2?

Asked 10/12, 2010 at 12:47 Answered 18/8, 2014 at 9:33

106

I searched on Google and StackOverflow to find a answer to my question but I can't find one.

I'd like to store the access_token to my database for offline access and I'd like to be sure to specify the correct length of my column.

I can't even find if it's just a number or a mix between number and strings.

Montgomery answered 10/12, 2010 at 12:47 Comment(0)

135

I work at Facebook and I can give a definitive answer about this.

Please don't put a maximum size on the storage for an access token. We expect that they will both grow and shrink over time as we add and remove data and change how they are encoded.

We did give guidance in one place about it being 255 characters. I've updated the blog post that had that information and updated our new access token docs to include a note about sizes:

https://developers.facebook.com/docs/facebook-login/access-tokens/

Sorry for the confusion.

Wahl answered 3/5, 2013 at 18:59 Comment(7)

It's fitting that the definitive answer from Facebook is we're going to change it later. – Halloo 4/7, 2013 at 14:0

At least this way I can expect the change, so I won't be unprepared. – Folio 16/7, 2013 at 10:54

Having no limit at all is kind of a pain as we're currently storing it in a 300 byte varchar2 and started having problems today with 301-305 byte tokens. Are you suggesting we use a clob instead? Or is there some reasonably large size that we could use? – Stokowski 14/11, 2014 at 23:26

I definitely keep that answer for the next time someone asks me "which max size should we set for this field" => "Don't set any max size, it's gonna grow anyway". Really, I love it!! Facebook you made my day ;) – Bourgeon 20/3, 2015 at 2:36

MySQL requires an upper-bound on this. Please give a realistic upperbound. e.g. 1000 characters, 10,000 characters, 1,000,000,000 characters? Having no upper-bound is just unreasonable. – Normanormal 7/2, 2017 at 14:36

just got a 265 character token – Multiracial 29/1, 2020 at 10:33

I got a token with over 255 also. ( more than my col allowed so I got an error ) . – Communalism 11/9, 2022 at 0:51

With Facebook's recent move to encrypted access tokens, the length of the access token can be up to 255 characters. If you're storing the access token in your database, the column should be able to accommodate at least varchar(255). Here's an excerpt from Facebook's Developer blog from October 4, 2011:

"With the Encrypted Access Token migration enabled, the format of the access token has changed. The new access token format is completely opaque and you should not take any dependency on the format in your code. A varchar(255) field will be sufficient to store the new tokens."

Full blog post here: https://developers.facebook.com/blog/post/572

Commander answered 25/10, 2011 at 4:15 Comment(8)

+1 for the updated info. This should really be the accepted answer now. – Mordvin 14/11, 2011 at 17:3

Seems no longer valid. I recently received a 256 character length access token. – Jahnke 27/12, 2012 at 11:7

Same as @Jahnke above. We are increasingly getting 240+ characters long tokens, including a few 255+ nowadays. – Atlantes 27/2, 2013 at 15:25

That's strange. Out of a sample of 8000, the longest one I've seen is 126 characters. – Commander 13/3, 2013 at 15:43

We've recently seen 344 character access tokens. – Jahnke 17/4, 2013 at 6:39

They're getting longer and longer for me as well. I'm now seeing a lot in the low 200s. It's definitely time to update my database to reflect this. – Commander 18/4, 2013 at 6:22

I've seen some access tokens on our servers as well, that exceeded the varchar length. So I changed to text. – Subchaser 19/8, 2014 at 7:25

I'm now seeing 448 characters from a custom API. – Neocene 21/12, 2016 at 0:25

This answer is no longer correct, and I can't find a corrected value in FB's docs. We have been receiving access tokens that are longer than 255 characters. We're moving from VARCHAR to a SMALLTEXT instead to try to future-proof things.

Sere answered 11/12, 2012 at 2:22 Comment(3)

Yes, I got 284 characters in production app so I got database error due to the column is varchar(255)... – Sackey 26/3, 2015 at 2:15

same. just got a 257 – Rok 30/6, 2017 at 12:10

SMALLTEXT or MEDIUMTEXT? I also previously had my access_token restricted to VARCHAR(255) and I'm dealing with the fallout of that today. – Sunburst 19/7, 2018 at 16:55

From section 1.4 of The OAuth 2.0 Authorization Protocol (draft-ietf-oauth-v2-22)

Access tokens can have different formats, structures, and methods of utilization (e.g. cryptographic properties) based on the resource server security requirements. Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.

I looked for the "companion specifications" but didn't find anything relevant and in section 11.2.2 it states

o Parameter name: access_token
o Parameter usage location: authorization response, token response
o Change controller: IETF
o Specification document(s): [[ this document ]]

Which seems to indicate that the access_token parameter is defined within this spec. Which I guess the parameter is but the actual access token isn't fully fleshed out.

Update: The latest version of this writing of the specification (draft-ietf-oauth-v2-31) includes an appendix that defines better what to expect from the access_token parameter

A.12. "access_token" Syntax

The "access_token" element is defined in Section 4.2.2 and
Section 5.1:

  access-token = 1*VSCHAR

So essentially what this means is that the access_token should be at least 1 character long but there is no limit on how long defined in this specification.

Note they define VSCHAR = %x20-7E

Cuirassier answered 14/10, 2011 at 15:56 Comment(0)

Facebook access token can be longer than 255 characters. I had a lot of errors like ActiveRecord::StatementInvalid: PG::StringDataRightTruncation: ERROR: value too long for type character varying(255) where the value was facebook access token. Do not use string type column because its length is limited. You can use text type column to store tokens.

Phthisis answered 18/8, 2014 at 9:33 Comment(0)

Recently, our app has been seeing them longer than 100 characters. I'm still looking for documentation so I can figure out a 'safe' field size for them.

Carcajou answered 2/2, 2011 at 19:20 Comment(1)

What is this "documentation" you speak of? :D – Epexegesis 10/2, 2011 at 17:31

I'll update the answer from the time spend.

From the OAuth2 documentation,

The access token string size is left undefined by this specification. The client should avoid making assumptions about value sizes. The authorization server should document the size of any value it issues.

(Section 4.2.2 of this document)

Note: Facebook is using OAuth2, as mentionned on this page.

So now, no informations seems to be available on the developers portail of Facebook about the length of the OAuth token. Yahoo seems to use a 400 bit long token, so it's best to assume that a TEXT column in MySQL is safer than a varchar.

Montgomery answered 2/4, 2013 at 14:48 Comment(1)

Facebook dev api's documentation - totally dodgy, no field lengths are specified anywhere ! – Lachrymose 26/1, 2021 at 9:58

Recommended topics

Hot tags