API authentication from a facebook messenger bot conversation

facebook authentication bots facebook-messenger facebook-messenger-bot
Noam Hacker picture Noam Hacker · Apr 13, 2016 · Viewed 8.7k times · Source

What is the best way to authenticate with an external API from a conversation with a bot on the facebook messenger platform?

For a broad example, I would like a user of my bot to create items on their own profiles of an external website. Is there a way to get login information from the user, or connect my bot to the external website, without the user explicitly sending a message to the bot with their username and password?

What I found in the documentation under User Profile API:

You can personalize the conversation using the person's name or profile pic from the User Profile API. In order to get this information, make a GET request to https://graph.facebook.com/v2.6/?fields=first_name,last_name,profile_pic&access_token=. Read more details in the Send API reference.

This isn't quite what I'm looking for but it helps. Here's more info from the docs:

User Profile API

Request

curl -X GET "https://graph.facebook.com/v2.6/<USER_ID>?fields=first_name,last_name,profile_pic&access_token=<PAGE_ACCESS_TOKEN>"

Response

{ "first_name": "Peter", "last_name": "Chang", "profile_pic": "https://fbcdn-profile-a.akamaihd.net/hprofile...70ec9c19b18" }

Answer

pschang picture pschang · Apr 16, 2016

It depends how they come in.

  1. If they come from your website, you can use the Send to Messengee button from within their account. Use the pass through param to link your account to the user thread. Here's an excerpt from the documentation:

The plugin takes in a pass-through parameter defined by you. This parameter is sent back to you via a callback. You can use this to link the authentication event to a person and/or transaction. For example, a person may enter an online flow for a specific transaction and click the Send-to-Messenger button. You can pass in data to know which user and transaction was tied to the authentication event. You should encode and encrypt this parameter.

  1. If they come directly to your bot, you would have to present them with a login of some sort (your login) from within the conversation. This would happen in a link to an mobile web URLs.

Related questions

How do popular apps authenticate user requests from their mobile app to their server?

Say I have an Android application that connects to a .Net API for receiving/setting data. The confusion that I have is regarding how to sign-up/login the user first time and authenticate it every time they make a request …

Read More
Is Facebook an OpenID provider?

Is Facebook an OpenID provider? I know they are an OpenID supporter but do they allow people to authenticate with other sites via OpenID with their Facebook credentials?

Read More
Get public page statuses using Facebook Graph API without Access Token

I'm trying to use the Facebook Graph API to get the latest status from a public page, let's say http://www.facebook.com/microsoft According to http://developers.facebook.com/tools/explorer/?method=GET&path=microsoft%2Fstatuses - I …

Read More