Facebook tool
The Facebook tool lets an agent manage a Facebook Page through the Graph API — publish posts, read comments and insights, reply to and moderate comments, and edit or delete posts. Set it up once as a tool configuration with a Page access token, then assign it to a bot.
What it can do
The agent chooses an action per call. Available actions:
- Publish — text, link, photo, multi-photo, video, and reel posts (optionally scheduled).
- Read — posts, a single post, comments, ratings, and insights/analytics.
- Engage — reply to comments; hide/unhide comments and posts.
- Manage — edit, pin/unpin, and delete posts.
- Discover —
list_pagesreturns the Pages the token manages (id, name, tasks).
Configuration
The tool has three fields:
- Access token (required) — a Facebook Page access token, or a User access token that manages the Page. Stored encrypted and never shown again after saving. See How to get a token.
- Page ID (optional) — the numeric Page ID. Set it to lock the configuration to one Page; leave it blank for multi-page mode.
- API version (optional) — the Graph API version. Defaults to
v25.0; most users never change it.
How to get an access token
Prerequisites
- You must be an admin (full control) of the Facebook Page.
- You need a Meta app: developers.facebook.com/apps → Create app → type Business. Managing your own Page works at Standard Access — no App Review needed.
- The app must have Page permissions enabled — add the Facebook Login product, or (newer dashboard) a use case that includes Page management. Without this the permissions below can't be requested.
Required permissions
Request all six:
pages_show_list— list the Pages you managepages_read_engagement— read Page content & follower datapages_read_user_content— read posts, comments, and ratingspages_manage_posts— create, edit, delete Page postspages_manage_engagement— create/edit/delete comments; manage likesread_insights— read Page & post analytics
Quick path — short-lived token (testing, ~1–2 hours)
- Open the Graph API Explorer.
- Top-right Meta App dropdown → select your app.
- User or Page → Get User Access Token → tick the six permissions → Generate Access Token → log in / authorize, keeping your Page selected in the opt-in step.
- Reopen User or Page → under Page Access Tokens, click your Page. The token field switches to the Page token — that's the value to paste. (Sanity check: with it selected,
GET /mereturns your Page's name, not your profile.)
Durable path — long-lived Page token (recommended for production)
A Page token derived from a long-lived user token is effectively non-expiring.
- Get a short-lived User token (steps 1–3 above; stop at the user token).
- Exchange it for a long-lived user token (~60 days), using your App ID and App Secret:
GET https://graph.facebook.com/v25.0/oauth/access_token?grant_type=fb_exchange_token&client_id={APP_ID}&client_secret={APP_SECRET}&fb_exchange_token={SHORT_LIVED_USER_TOKEN} - Read your Page tokens:
Copy theGET https://graph.facebook.com/v25.0/me/accounts?fields=id,name,access_tokenaccess_tokenfor your Page — that's the durable Page token.
Page token vs User token
- Page token → scoped to one Page. Best when this config manages a single Page (pair with Page ID set, or leave it blank and the tool auto-detects the Page).
- User token → can manage many Pages you administer. Best for multi-page mode — the tool resolves the correct Page token per Page via
/me/accountsautomatically. On Meta's "New Pages Experience" a user token alone can't post; the tool converts it to the needed Page token.
Finding the Page ID
Simplest: save the tool without a Page ID, then have the bot call the list_pages action — it returns each manageable Page's id and name. You can also read it from GET /me/accounts, or find it on the Page under About / Page transparency.
Single-page vs multi-page mode
- Single-page — set Page ID. The bot is locked to that Page and can't post anywhere else. Safest for a Page-specific bot.
- Multi-page — leave Page ID blank and use a User token. One configuration then drives every Page the token manages; the agent supplies the Page per action (and can
list_pagesto discover them). Note that in this mode the AI chooses which Page to act on, limited to Pages the token already controls.
You can also create multiple separate configurations (one per Page) — fully supported; each just needs a distinct name.
Token expiry & refresh
Tokens can expire or be invalidated — a password change, a security event, or the ~1–2 hour life of an Explorer token. When that happens, every action fails with a clear error like "Session has expired" or "Error validating access token." For production, use the durable path above. There is no automatic refresh — if a token dies, edit the config and paste a new one (leaving the token blank on edit keeps the stored one, so you must retype to replace it).
Behavior to expect
- Hide/unhide applies to visitors' posts and comments, not the Page's own — Facebook won't let a Page hide its own content. Use edit or delete for the Page's own posts.
- Scheduling window — a scheduled post must be roughly 10 minutes to 30 days in the future; outside that, Facebook rejects it.
- Insights metrics — metric names change over time and many classic ones are retired (e.g.
page_impressions,page_fans,post_impressionsare invalid). Current working examples includepage_post_engagements,page_views_total,page_daily_follows,post_clicks. The tool passes names through as-is — check Meta's current Page/Post Insights metric reference. - Pin/unpin may be rejected depending on the token's rights ("insufficient permissions") — treat it as best-effort.
- Media — image and video sources must be publicly reachable
httpsURLs; Facebook fetches them server-side.
Safety in autonomous runs
Like any tool, the Facebook tool carries a safety classification (mutating / destructive / sends-data-externally) that governs scheduled or triggered (autonomous) runs. Classify the configuration to match what its token can actually do, and prefer the tighter control: scope the token (a single Page, only the permissions you need) so a limit is enforced by Facebook rather than only by an app-layer flag. Interactive chat is never gated by these flags.
Security
The access token is stored AES-encrypted at rest and is never returned by the API — the console shows only whether a token is set. Editing a configuration without retyping the token preserves the stored one.