Why does my Facebook app keep getting rejected during app review?

App review is where dreams go to die. They'll reject you for reasons not mentioned in their guidelines, then make you wait another 7-14 business days to try again. Common rejection reasons that aren't in the docs: - Your privacy policy doesn't use their exact wording - Your app description mentions "social media" but doesn't explicitly say "Facebook" - You recorded your demo video in landscape instead of portrait - A reviewer had a bad day Pro tip: Record multiple demo videos from different angles and submit the most boring, obvious one possible. Facebook reviewers hate creativity.

Why do my access tokens keep expiring randomly?

Because Facebook's token management was designed by sadists. User tokens last 1-2 hours, page tokens last 60 days (unless Facebook decides they don't), and app tokens work until they randomly don't. The refresh token dance fails about 10% of the time for no discernible reason. Always implement aggressive retry logic with exponential backoff, and prepare to explain to your users why they got logged out mid-session.

How much does this actually cost?

The APIs are "free" in the same way that heroin is free from your dealer. You'll pay in: - **Time**: Weeks lost to app review rejections - **Sanity**: Debugging OAuth flows that break for no reason - **WhatsApp Real Costs** (updated November 2024 - service conversations are now FREE): - Service conversations (customer-initiated within 24 hours) are free since November 1, 2024 - Marketing conversations still cost money (varies by region, around $0.005-$0.03) - Template message costs depend on region and message type - Failed message deliveries still count (and Facebook's delivery is still shit) - Free service conversations helped our costs, but marketing messages add up fast - **Marketing API**: You need active ad spend to access the good stuff - **Developer Therapy**: Not covered by most insurance

Is Facebook Platform actually reliable enough for production?

Short answer: No. Long answer: Absolutely not. Remember the [October 2021 outage](https://engineering.fb.com/2021/10/05/networking-traffic/outage-details/) that took down everything for 6 hours? Or the countless times their APIs randomly return 500 errors for hours? Facebook doesn't provide SLAs because they know they can't meet them. Always have a backup plan. Your million-dollar app integration will break at the worst possible moment.

Why is my app's rate limiting inconsistent?

Because Facebook's rate limiting logic was apparently designed by throwing darts at a board. The official limit is "200 API calls per user in any given 60-minute window" but in practice: - Sometimes you get throttled after 50 calls for a single user - Sometimes you can make way more calls with no issues - User-based limits mean popular users hit walls faster - Marketing API has different limits that change based on ad spend Implement exponential backoff and pray to whatever deity you believe in.

Can I actually get useful user data?

Not really. Since Cambridge Analytica, Facebook locked down user data tighter than Fort Knox. You can get: - Public profile info (name, profile pic) - Email address (if you survive app review) - Nothing else useful Forget about friends lists, user posts, or anything that would actually be helpful. If you need real user data, look elsewhere.

Do the SDKs actually work?

The JavaScript SDK works until Safari decides to block cookies. The iOS/Android SDKs break every time Apple/Google releases a major update. The PHP SDK is probably the least terrible option. My advice: Skip the SDKs and make direct HTTP calls. At least when they break, you'll know why.

What happens when Facebook changes their policies again?

They'll post a blog announcement, send you an email, and give you 6 months to completely rewrite your integration. Sometimes. For "security" changes, you might get 2 weeks notice. For really important changes, you might find out when your app stops working. Monitor the [developer blog](https://developers.facebook.com/blog/) religiously and keep your lawyer on speed dial.

How do I debug OAuth failures?

You don't. Facebook's OAuth error messages are about as helpful as a chocolate teapot. Here are the actual error messages you'll encounter: **Real Facebook Error Messages That Make You Want to Scream:** - `"Error validating access token: Session has expired on Tuesday, 09-Aug-22 09:30:00 PDT."` (It's Wednesday and the token was generated 10 minutes ago) - `"Unknown method"` (for a documented endpoint that worked yesterday) - `"Unsupported get request"` (for the same GET request that worked 5 minutes ago) - `"(#100) No permission to access requested data"` (even though your app has the permission) - `"OAuthException: Invalid OAuth access token"` (the token is valid according to the debugger) - `"This authorization code has been used"` (you've never used this code before) - `"Error validating application. Cannot get application info."` (your app ID is correct) "Authorization failed" could mean literally anything: - Invalid client ID - Wrong redirect URI (including missing/extra trailing slashes) - User denied permission - Facebook's servers are having a bad day - Your app is in development mode and you forgot to add test users - Mercury is in retrograde The [Graph API Explorer](https://developers.facebook.com/tools/explorer/) sometimes helps, but mostly you'll just try random shit until something works.

Should I integrate with Instagram and WhatsApp too?

Instagram API is tied to Facebook, so you're already committed to this nightmare. WhatsApp Business Platform works, but costs money and has rigid message templates. If you're already integrating with Facebook, adding Instagram won't make your life much worse. WhatsApp is worth it if you can stomach the conversation charges.

Can I use Facebook Platform for anything serious?

Only if you enjoy living dangerously. Facebook Platform is fine for non-critical features like social login or sharing buttons. But if your business depends on Facebook APIs working consistently, you're gambling with your company's future. Build it as a nice-to-have feature, not a core dependency. Because when (not if) it breaks, you'll need something to fall back on.

Currently viewing the AI version

Switch to human version

Facebook Platform API Integration - AI-Optimized Technical Reference

Platform Overview

Service: Meta's Facebook Platform APIs for social graph integration
Current API Version: Graph API v23.0
Global Reach: 3+ billion users
Reliability Warning: No SLA provided, frequent outages
Support Quality: Minimal developer support, community-driven troubleshooting

Critical Failure Scenarios

Authentication System Failures

Token Expiration: User tokens (1-2 hours), Page tokens (60 days), random early expiration common
OAuth Refresh Failures: 10% failure rate on token refresh operations
Safari Cookie Blocking: Third-party cookie restrictions break web login flows
Production Authentication Outages: 3-hour BlackFriday outage resulted in $180,000 lost sales

Rate Limiting Inconsistencies

Official Limit: 200 API calls per user per 60-minute window
Actual Implementation: 50-500 calls depending on server load
User-Based Impact: Popular users hit limits faster than casual users
Marketing API: Limits tied to advertising spend levels

App Review Process Delays

Timeline: 7-14 business days minimum, often 2-4 weeks with rejections
Rejection Rate: High for undocumented reasons (video orientation, exact privacy policy wording)
Business Impact: Engineering timeline disruption, feature launch delays

Technical Implementation Reality

API Response Performance

Normal Response Time: 50-200ms
Degraded Performance: 2-3 seconds during API version transitions
Failure Scenarios: Random 500 errors during peak usage
Batch Operations: Maximum 50 operations per request

Data Access Limitations Post-Cambridge Analytica

User Data: Public profile only (name, profile picture)
Email Access: Requires app review approval
Social Graph: Friends list access completely removed
Page Data: Requires admin permissions per page

Error Message Quality

Common Unhelpful Errors:
- "Unknown method" (for documented endpoints)
- "Session has expired" (for recently generated tokens)
- "Invalid OAuth access token" (token validates in debugger)
- "No permission to access requested data" (app has required permission)

Resource Requirements

Development Time Investment

Initial Setup: 1-2 weeks for basic integration
OAuth Implementation: 2-3 weeks including edge case handling
App Review Process: Add 2-4 weeks buffer for rejections
API Version Migration: 3+ weeks per major version change

Ongoing Maintenance Costs

API Deprecation Cycle: Every 6 months with breaking changes
Monitoring Requirements: Continuous error tracking due to instability
Backup Implementation: Essential for business-critical features
WhatsApp Business Costs: Service conversations free (as of Nov 2024), marketing messages $0.005-$0.03 per conversation

Technical Expertise Requirements

OAuth 2.0 Implementation: Advanced knowledge required
Error Handling: Extensive retry logic and fallback mechanisms
Token Management: Complex rotation and validation systems
Webhook Reliability: Polling backup systems necessary

Production Configuration

Essential Settings That Work

// Token refresh with aggressive retry
const refreshToken = async (token) => {
  const maxRetries = 3;
  const backoffDelay = [1000, 5000, 15000];
  // Implement exponential backoff
};

// Rate limit handling
const apiCall = async (endpoint, params) => {
  // Always implement 429 status handling
  // Facebook's rate limiting is inconsistent
};

Critical Security Requirements

Token Storage: Encrypted storage mandatory for app review
Domain Verification: Exact URL matching including trailing slashes
HTTPS Endpoints: Required for webhooks with valid SSL certificates
Privacy Policy: Must be live and use Facebook's specific terminology

Alternative Platform Comparison

Platform	Rate Limits	Stability	Cost	Business Features
Facebook	200/user/hour	Poor (no SLA)	Free + ad spend	Marketing API, Shop integration
Twitter API v2	300/15min free	Moderate	$100-5000/month	Ads API, Premium tiers
LinkedIn API	500/day	Good	Free + partnership	Lead gen, company analytics
YouTube Data API	10K units/day	Excellent	Free with quotas	Analytics, content management

Breaking Points and Failure Modes

Geographic Distribution Issues

CDN Problems: Regional availability inconsistencies
IP-Based Rate Limiting: Complicates load balancing strategies
Webhook Delivery: Unreliable across different regions

Scale-Related Failures

Token Sharing: Complex across multiple servers
Connection Pooling: Load balancers randomly reset connections
Peak Usage: Higher failure rates during traffic spikes

Business Continuity Risks

No Compensation: Platform terms explicitly deny liability
Policy Changes: 6-month notice for deprecations, 2 weeks for "security" changes
Account Suspension: No appeal process for developers

Decision Criteria for Implementation

Use Facebook Platform When:

User base primarily on Facebook/Instagram
Non-critical feature implementation (social sharing, secondary login)
Marketing API integration with active ad spend
Can afford 2-4 week development buffer for app review

Avoid Facebook Platform When:

Business-critical authentication requirements
Need reliable webhook delivery
Tight development timelines
Cannot maintain fallback systems

Alternative Solutions:

Auth0: Third-party OAuth handling ($23/month minimum)
Firebase Auth: Google's Facebook integration wrapper
Direct Integration: YouTube, LinkedIn APIs for more stable options

Essential Monitoring and Alerting

Critical Metrics to Track

Token Refresh Success Rate: Should be >90%
API Response Time: Alert if >500ms sustained
Error Rate by Endpoint: Track 4xx/5xx responses
Webhook Delivery Success: Implement polling backup at <85%

Required Fallback Systems

Authentication: Always provide email/password option
Content Publishing: Direct platform posting capability
Data Retrieval: Cached data with manual refresh option
User Management: Independent user database

Implementation Best Practices

Code Structure Recommendations

// Never depend solely on Facebook APIs
const authenticate = async (method) => {
  switch(method) {
    case 'facebook':
      return await facebookAuth(); // With fallback
    case 'email':
      return await emailAuth(); // Primary backup
    default:
      throw new Error('Authentication method required');
  }
};

Testing Strategy

Test Users: Create multiple test accounts (behave differently from production)
API Explorer: Use for initial endpoint testing only
Production Simulation: Test with real accounts in development mode
Error Scenarios: Test OAuth failures, token expiration, rate limiting

This technical reference provides the operational intelligence needed for informed decision-making about Facebook Platform integration, including realistic timelines, failure scenarios, and implementation alternatives.

Useful Links for Further Investigation

Where to Get Real Help (Since Facebook Won't Give You Any)

Link	Description
Meta Developer Documentation	The official portal that looks comprehensive but leaves out all the important details. Good for getting started, terrible for debugging when things break.
Stack Overflow - Facebook Graph API	The real documentation. Search here first because someone else has already hit the same stupid problem you're dealing with. Most helpful answers are from 2019-2021.
GitHub - Facebook SDK Issues	Where you'll find out that the bug you're experiencing is a "known issue" that Facebook has no intention of fixing. Great for confirming you're not going insane.
Facebook Graph API Examples on GitHub	Community code samples that might actually work, unlike Facebook's official examples. Always check the last commit date.
Facebook SDK for JavaScript GitHub	Official JS SDK source code. Read the issues to understand what's actually broken before trying to implement anything.
Facebook Official Repositories	Official Facebook GitHub organization with SDKs and tools. Check here for the latest official libraries.
Meta Business Status	Where Facebook pretends to tell you when their services are down. Usually shows "All Systems Operational" while everything is on fire.
Auth0 Facebook Identity Provider	Third-party authentication that handles Facebook's OAuth nightmare for you. Worth the money.
Firebase Authentication with Facebook	Google's take on Facebook authentication. Sometimes works better than Facebook's own SDKs.
Hootsuite Developers	Companies like Buffer and Hootsuite that have already figured out how to deal with Facebook's bullshit. Use their APIs instead of building your own.
DownDetector - Facebook	More reliable than Facebook's own status page for knowing when their APIs are broken.
IsItDownRightNow - Facebook APIs	Alternative service monitoring for when you can't tell if the problem is your code or Facebook's servers.