Facebook App Review for Server-to-Server Apps

In a database table, I kept interesting World War II facts that took place on every date throughout the course of a calendar year. I had scheduled a Python script to make daily queries against this table with the current date, and then posts the result on my WW2DB Facebook Page via Facebook GraphAPI. This was deployed some years ago and had been working without a hitch.

In 2018, in response to the many security/privacy related problems that you undoubtedly had read about, Facebook tightened things up quite a bit. Understandably, my process was affected. Facebook informed me that I had to undergo an app review, particularly to justify my need for these two API calls:

  • manage_pages
  • publish_pages

I initially received this request for app review around July or August 2018. I immediately got to work. Surprisingly, I was repeatedly rejected, most of the time the reason was that I failed to show Facebook folks how a user logins in to Facebook using my app, despite I clearly noted that my application was a server-to-server app that had no user interface. I reached out to a good friend who works at Facebook just to see if he happens to know anyone who might know someone with this knowledge; he came back telling me that everyone he spoke to was equally stumped. Life got busy, and I forgot about this issue for a while. I did not pick it up until last week. After two more rejections, today, 5 February 2019, I finally got everything straightened out after more than half a year (but again, my own delay in late 2018 admittedly also dragged it on a bit).

You would imagine this to be a straight-forward process, right? I guess not! Hopefully, my notes below will help you shorten the time you need to get your server-to-server app approved.

First, the basics. Go to https://developers.facebook.com/apps/, find and click on your application. Then, click “Settings” on the left, and then “Basic”; in here, I have these fields populated: Display Name, Contact Email, Private Policy URL, Terms of Service URL, App Icon, and Category. On the bottom of the page, I added “Website” as my platform (note there is no option for a server-to-server application).

Then, go to “App Review” and then “Permissions and Features”. Scroll down to “manage_pages” and click on the “Request” button. Do the same for “publish_pages”. Then click the “Continue” link to fill out some info for each of the two.

For “publish_pages”:

  • “Tell us how you’re using this permission or feature” — I told them that this is a server-to-server application, explained how my Python script queries my database, and then uses Facebook GraphAPI to post to my own page.
  • “Demonstrate how your selected platforms will use this permission or feature” — I checked “web” (note there is no option for server-to-server), and then in the text box listed the 3 steps below, and then noted that I would be uploading a blank screencast (it was literally a 5-minute-long video of a black screen) because this server-to-server app has no user interface. I also offered to send them the source code of my script if Facebook wanted to look at it (in fact, in one of my failed attempts to secure permission, my screencast was actually showing my source code so they could have a developer confirm the code does what I described).
    1. My Python script queries my database for relevant entries for the current date
    2. The script then creates an instance of Facebook GraphAPI
    3. Use the “.put_object” method to make a post on my own page https://www.facebook.com/worldwar2
  • Then, I uploaded the blank video aforementioned.

For “manage_pages”:

  • “Tell us how you’re using this permission or feature” — Copy/pasted the same as above.
  • “Demonstrate how your selected platforms will use this permission or feature” — I checked “Server-to-Server” option, and then copy/pasted the same text as above; less the mention of the blank video.

After saving those two, I submitted my request.

In my case, a business day or so later, I received word of my approval, but final implementation was pending me proving my business is legitimate. If you have this requirement as well, in addition to showing your business as legitimate, you will also want to show that your business phone number is legitimate. To satisfy these two requirements, I uploaded scans of:

  1. The Business Registration Certificate showing that my business had been properly registered with the government. In my case, it is the state of New Jersey in the United States; your document may be titled differently. This document shows my business name and mailing address, but it does not show my phone number.
  2. The contract I signed on behalf of my business renting a mailbox from the local UPS Store. This document shows my business name, mailing address, and phone number.
  3. United States Postal Service Application for Delivery of Mail Through Agent, which was signed by both the manager of the UPS Store and myself on behalf of my business. This document shows my business name, mailing address, and phone number. The UPS Store contract alone probably was enough, but I thought I would upload this, just in case.

While I understand there are a lot of shady elements on the web, and Facebook had been a victim of those elements, this whole process was not easy. Official instructions I found on Facebook site was slightly out-dated, and there was no way for me to get any human assistance. The end result was that Facebook’s reviewers had to spend extra time re-reviewing my repeated attempts, and I needed to spend extra time rewording my requests while trying to guess what Facebook wanted to see. In comparison, when Google (via its Adsense program) recently requested me to comply to GPDR, I was able to easily reach a human (via email), who clarified exactly what actions I needed to take. After I implemented the requirements, he even emailed me back to confirm my compliance. The experience with Google was much smoother when compared to Facebook’s.