API authentication from a facebook messenger bot conversation

Noam Hacker picture Noam Hacker · Apr 13, 2016 · Viewed 8.7k times · Source

What is the best way to authenticate with an external API from a conversation with a bot on the facebook messenger platform?

For a broad example, I would like a user of my bot to create items on their own profiles of an external website. Is there a way to get login information from the user, or connect my bot to the external website, without the user explicitly sending a message to the bot with their username and password?

What I found in the documentation under User Profile API:

You can personalize the conversation using the person's name or profile pic from the User Profile API. In order to get this information, make a GET request to https://graph.facebook.com/v2.6/?fields=first_name,last_name,profile_pic&access_token=. Read more details in the Send API reference.

This isn't quite what I'm looking for but it helps. Here's more info from the docs:

User Profile API

Request

curl -X GET "https://graph.facebook.com/v2.6/<USER_ID>?fields=first_name,last_name,profile_pic&access_token=<PAGE_ACCESS_TOKEN>"

Response

{ "first_name": "Peter", "last_name": "Chang", "profile_pic": "https://fbcdn-profile-a.akamaihd.net/hprofile...70ec9c19b18" }

Answer

pschang picture pschang · Apr 16, 2016

It depends how they come in.

  1. If they come from your website, you can use the Send to Messengee button from within their account. Use the pass through param to link your account to the user thread. Here's an excerpt from the documentation:

The plugin takes in a pass-through parameter defined by you. This parameter is sent back to you via a callback. You can use this to link the authentication event to a person and/or transaction. For example, a person may enter an online flow for a specific transaction and click the Send-to-Messenger button. You can pass in data to know which user and transaction was tied to the authentication event. You should encode and encrypt this parameter.

  1. If they come directly to your bot, you would have to present them with a login of some sort (your login) from within the conversation. This would happen in a link to an mobile web URLs.