Connecting and Tokens are a concept used by networks to manage pages and accounts, and are generated when a user – you for example – authorizes the Metigy platform to access something (connect).
Metigy uses the services that each network provides to make this connection. This document does not cover that flow, but there are lots of materials online discussing it.
We also have a post, “Keep it real, Don’t fake it” which discusses managing access to pages and accounts.
But first, what are tokens?
This is a question we get asked quite often, and the most straightforward answer is they are like a pre-paid phone.
Networks don’t just give out content, they give you tokens that you access their services with, and have some credits that you can use to access the service. Every type of token outlined below has some credits assigned, and the limits don’t vary according to what they are designed to do.
For this reason, we use your tokens to collect data on your pages, and your competitors as our own application are not given enough to consume your data as well.
What type of tokens are there?
When a token is generated there are several types that are created and serve different functions according to the platform:
- User Tokens – First up, we do not store this token for Facebook as we don’t use it beyond acting on your behalf to connect the page you want to manage. This flow is as required by Facebook. On some platforms, such as Twitter, this token is the only one available. The value of this is designed for user interaction which is generally quite small for the reason that there’s only so much a user can do. It is not used for collecting page statistics as the limits are too low.
- Page Tokens – This is currently Facebook specific and is a token that only has access to a page. It enables reading of content and publishing posts for and as that page. The value of this token is based on how engaged your page is and is ideal for collecting statistics, posting content and managing adverts. The more people who access your page, the more value your token is given as you have more data to collect.
Also, we store the tokens using heavy encryption so that in the event of a breach, the tokens are still safe, and we will never, ever share them with anyone.
What are the tokens used for?
- Collecting statistics about a location – e.g., number of fans
- Gathering statistics about content – e.g., How many likes or comments a post got
- Publishing content – e.g., Posting content on Twitter or Facebook
- Publishing activations (if the platform supports it – currently only Facebook)
- Validating a user (used when setting up an account)
- Getting lists of pages user can access (this is useful to show a user what they can manage)
What are they not used for?
Doing things without your permission! We mean that. And we won’t do anything you haven’t asked us to. We sincerely mean that and will never touch your account without your approval. And this goes double for not post content you didn’t ask us to.
Additionally, our accounts are set up with each network in a way that restricts all access to just our infrastructure so even if someone compromised a token, they would be useless outside of our platform
What are the issues that can occur?
Tokens are designed with security at their core, which means there are a lot of cases where a token will no longer work:
- The token has expired. This is common. They by design have a short lifespan of a few days to a few months. When a token is near expiring, we will let you know so you can re-connect before that happens. This way your Metigy experience will be uninterrupted.
- A password gets changed. Tokens are linked to accounts and if a critical piece of security for that account changes – such as a password – the network will make any generated token invalid.
- The user that connected a page lost permission to access that page. When a user leaves a business or stops working on an account, clients will usually remove that user’s access to the page. If this happens, anything that uses that user’s token will become invalid.
- Platform triggers a blanket reset. The networks roll out security updates regularly, and these have been known to invalidate all tokens that have been collected for a client. It is beyond our control, and we will notify you when it happens.