Application Programming InterfaceFacebookhttp://www.slideshare.net/fabricedelhosteTwitter fabrice@delhoste.comFacebook: http://www.facebook.com/fabricedelhosteTwitter: @spifdDc. 2013

Content APISocial NetworksFacebookTwitter2 WarningThese slides are for training or educational purposes. They do not replace reference documentation. ! This is my rst version, december 2013. If you read this in 2013+, check for deprecation. Feel free to give me your feedback.!Pictures and clip arts are free for use. Credits coming on next release.3 APIApplication Programming Interface API? Application Programming InterfaceSoftware-to-software contractDenes the interactions between components5 API A good API can provide FlexibilitySecurityEase of useSimplicity Modern software are made of APIsScalabilityPortabilityOtherwise, it would serve a limited purpose6 API Design Patterns Separating interface from implementation !Faade design pattern A simplied interface to a larger body of codeMake software easier and convenient to useReduce dependenciesWrap a poorly designed APIs with a single well-designed API 7 API Platform Developers can be: customers channels to customersOffering them friendly helpful API is business-oriented cost-reductiontime-to-marketknow-how and expertise 8 API Cloud Computing Infrastructure-as-a-Service (IaaS) - infra level Platform-as-a-Service (PaaS) - service level API provides messaging system, databases, execution environmentSoftware-as-a-Service (SaaS) - application level API provides control, distribution, network, and workload.API mediates between apps and underlying IT infrastructureBackend-as-a-Service (BaaS) - application dev level API provides unied way to connect apps to cloud services 9 API General Recommendations Try test-driven design Think about what client really needs, not what your server can offer !Choose vocabulary wiselyUse standard when possibleCopy & enhance popular existing APIsBe self-descriptive, developer-friendlyTry dening highest level of API 10 API Practical Work Real world use case analysis What would you have done?11 HTTPQuick Overview HTTP Application protocol for distributed hypermedia systems. Request / responseStatelessMedia independentFoundation of the WWWCurrent version: 1.113 HTTP Request Format Request lineRequest headersEmpty line.Optional message body.POST /1.1/lists/create.json?name=My%20new%20list&mode=private HTTP/1.1 X-HostCommonName: api.twitter.com Authorization: OAuth oauth_consumer_key= Host: api.twitter.com Content-Length: 0 X-Target-URI: https://api.twitter.com Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Connection: Keep-Alive! ! ! !14 HTTP Response Format Status lineResponse headersEmpty lineOptional message bodyHTTP/1.1 200 OK content-type: application/json; charset=utf-8 last-modified: Sun, 08 Dec 2013 20:41:48 GMT status: 200 OK date: Sun, 08 Dec 2013 20:41:48 GMT Connection: close content-length: 1879!{ "id_str": "101144843", "full_name": "@spifd/lists/my-new-list", "user": { "id_str": "18229030", 15 HTTP URL - Unied Resource Locator Not sent to server.Only browser.HTTP: clear HTTPS: encryptedURL (or Percent) encoding ! # $ & ( ) * + , / : ; = ? @ [ ] converted to %21 %23 %24 16 HTTP Verbs (methods) GET: retrieve a resourceOthersHEAD: GET without bodysafe: it must not modify resources idempotent: 1 call, same as multiple callsTRACE: echo request back to the senderOPTIONS: supported HTTP verbsCONNECT: connects to proxyPATCH: partial updatePUT: create/update a resource idempotentPOST: add a subordinate resource! not safe, not idempotentSafe/idempotent: DELETE: delete a resource Only semantic, no constraint in protocolidempotent 17 HTTP Headers General header: for both request and response messages. Request header: only for request messages. Ex: Authorization, Accept, Cookie, Host, User-AgentResponse header: only for response messages. Ex: Cache-Control, ConnectionEx: Server, Set-CookieEntity header: metadata about the entity body Ex: Content-Encoding, Content-Length, Content-Type, Last-Modied 18 HTTP Request Parameters For GET, part of the URL query string as eld / value pairs eld1=value1&eld2=value2&eld3=value3For POST, request parameters are sent using: Using "Content-type: application/x-www-form-urlencoded" (header) The content body contains "eld1=value1&eld2=value2&eld3=value3"Using "Content-type: "multipart/form-data" (header) for binary data Special format using several parts separated with a particular string boundary (content-disposition header), each part having its own contenttype header. 19 HTTP Status Codes 1xx: Informational2xx: Successful4xx: Client Error 400: Bad Request401: Unauthorized3xx: Redirection403: Forbidden302: Found404: Not Found304: Not modied (f-Modied-Since header)405: Method Not Allowed ! ! !201: Created (PUT & POST)5xx: Server Error 500: Internal Server Error503: Service Unavailable20 HTTP Security Authorization Header Allows different kind of authentication : basic, digest, oauthAuthorization: {Type} {Data}Ex: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== RFC2045-MIME variant of Base64 encoding of login:passwordEncryption with HTTPS = HTTP over SSL/TLS Assymetric key derived into a short-term session keyUsed to encrypt the whole HTTP data ow 21 HTTP DisclaimerHTTP Requests are NOT purely written to ease readability. !In particular: - they do NOT strictly respect HTTP format - they do NOT follow correctly URL-encoding when needed - they do NOT contain all HTTP headers and body !We are humans, not machines. 22 PostmanChrome App - Handy HTTP Client Postman24 API Practical Work Download and install Google ChromeDownload and install Postman (Packaged app) http://www.getpostman.com/ If you want to inspect requests in Google Chrome network console, browse chrome://ags and "Enable debugging for packed apps"Take time to play and be familiar with Postman features Well use it all along the training.See how to create collections, to save them, Ill collect your backup. 25 RESTDesigning Lightweight APIs REST REpresentational State TransferDened by HTTP 1.0 & 1.1 author (Roy Fielding)Architectural styleREST = Transfer of representations of resources !A simple way to handle interactions between systems 27 REST Main Principles Identify everything with an identierLink things togetherUse standardsResources with multiple representationsStateless28 REST Characteristics LightweightScalableSimpleFlexibleReadableReliableEfcientPortable! !29 REST HTTP-based Easy SOA (Service-Oriented Architecture) SOAP is another way often cumbersomePragmatic approach, mostly based on HTTP protocol Well known, widely deployed, and avoid new layersUse HTTP verbsUse URI as a global identier for resources30 REST RESTful Constraints Client-server: separation of concerns, separate interface from implementationStateless server: requests contains all necessary informationCache: responses can be cached or notUniform interface: Identication of resources: each resource is uniquely identiedManipulation of resources through representations: each resource has one or more representationsSelf-descriptive message: message is not only data but everything necessary for the message to be processedHypermedia as the engine for application state (HATEOAS): the server must give the client the needed information to navigate the serviceLayered system: client has no idea about the end server or intermediates processing the requestsCode-on-demand (optional): client are extendable by downloading code 31 REST CRUD POST = CREATEGET = READPUT = UPDATEDELETE = DELETEAlternative: POST /dogs?method=delete Filtering proxies, 32 REST Resources Use nouns, no verbPlural: /dogsConcrete: /dogs instead of /animalsUse Javascript naming convention33 REST Collections 2 base URLs per resourceCollection /dogsElement /dogs/123434 REST Requests for resources GET /owners/5678/dogsPOST /owners/5678/dogsGET /dogs?color=red&state=running&location=parkGET /dogs?elds=name,color,location.cityGET /dogs.xml?limit=25&offset=50GET /owners/5678/dogs?q=Bobby (search) 35 REST Requests for non-resources Use verbs for non-resources: compute, search, GET /convert?from=EUR&t=CNY&amount=100GET /search?q=toto (global search)GET /owners/5678/dogs/search?q=totoGET /dogs/count36 REST Handling errors Use HTTP status codes. Those are enough for most usages: 304: Not modied400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found200: OK, 201: Created500: Internal Server ErrorBe verbose and self-descriptive in response body. Example:{"developerMessage" : "Verbose, plain language description of the problem for the app developer with hints about how to fix it.", "userMessage":"Pass this message on to the app user if needed.", "errorCode" : 12345, "more info": "http:// dev.teachdogrest.com/errors/12345"} 37 REST Versioning Make version mandatory.Use v prex to avoid confusionUse one number. API is not implementation.Ex: /v1/dogsRecommendations: Ascending compatibility with 1 versionCommunicate very soon on (breaking) changes. 38 REST REST API Design State of the art !You want to become a REST ninja?Read everything from: https://apigee.com/about/api-best-practices39 JSONOverview JSON http://www.json.org/JavaScript Object NotationLightweight standard for data-interchange formatDeveloper-friendly Easy for humans to read/write Efcient to parse/generateOpen, not only Javascript 41 JSON Types NumberArray: ordered values12[ 1, "apple", true, { } ] 2.45 324.0594 String "hello"Object: unordered key/value pairs. hello { "title": "Games of Thrones", "season": 1 }Boolean truefalse Empty value null 42 JSON Example { "id": "4", "favorite_teams": [ { "id": "116174408393207", "name": "Yankees" } ], "name": "Mark Zuckerberg", "hometown": { "id": "105506396148790", "name": "Dobbs Ferry, New York" } }43 API Practical Work In Postman, create a "API Todo" HTTP request collectionThink about a REST API for todo list Create/read/update/delete a todoCreate/read/update/delete a todo listRead part of the data of a todoImagine being a client and write all HTTP requests No server development, just URL and payload in Postman 44 oAuthOverview oAuth ? http://oauth.net/An open authentication protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. Get away from login and passwords to grant authorizations to 3rd parties Publish and interact safely with users dataoAuth now widely used Facebook, Google, Twitter, 46 oAuth Before Applications stored passwordsFull access to users accountRevoke application permissions by changing passwordBad guys could get the users passwordMany proprietary solutions47 oAuth Principle An external Guest A says to the reception desk that he wants to meet Employee B for business purposes.The reception desk noties Employee B that Guest A has come to visit him.Employee B comes to the reception desk and identies Guest A.Employee B records the business purpose and identity of Guest A at the reception desk.The reception desk issues a visitor card to Guest A.Employee B and Guest A go to the specied room to discuss their business. 48 oAuth 1.0 oAuth 1.050 oAuth 1.0 Getting a request token and dene callback URLDirect the user to authorization ow (login dialog)Callback to your URL with request tokenExchange request token for an access tokenSend requests signed with access token51 oAuth 2.0 oAuth 2.0 Simplied signatureNo encryption, replaced by HTTPSEasier to handle.Token ExpirationScope: limit access to 3rd party Left to oAuth providers, proprietary values53 oAuth 2.0 Apps Web-server apps (grant_type=authorization_code) Username/password access (grant_type=password) Get an access token from login/password. No server-side code needed. Only for trusted clients.Application access (grant_type=client_credentials) Server exchanges a code for an access token.Get an accs token from client secret.Browser and Mobile apps (grant_type=implicit) Browser or mobile app receives directly an access token. No server-side code needed. 54 oAuth 2.0 Example: Web-server Apps55 oAuth 2.0 Example: Web-server Apps Getting a request token and dene callback URLDirect the user to authorization ow (login dialog)Callback to your server with codeExchange code for an access tokenSend (not sign) requests with access token as HTTP query parameter or Authorization headerRenew access token when expired (grant_type=refresh_token) 56 Social NetworksOverview Social Media Social Network A platform to handle social interactions between actors People, Community, and CompaniesSharing Interests and ActivitiesCommunications59 Social Networks Worldwide. Facebook Twitter IPO60 Social Networks Are they all the same?61 Facebook FacebookOverview Facebook The Social Network Founded in 2004 CEO: Mark Zuckerberg 1.19 billion monthly active users. 728 million daily active users. 874 million mobile users.64 Facebook? Re-index the web around personal information.Identity provider across the web and mobile appsReplace communications channelsBehavioural ad networkPersonalized search engineCustomized and socialized experiences everywhere 65 Facebook Features Status updatesPhonePhoto / VideoApp Center PromotionsTimelineAdsMessagesPaymentChatPagesSMSGroupsCheckin 66 Facebook Features Graph SearchPost Status / Photo / Video / Place / Go to SettingsGo to TimelineMain MenuGroups, Apps, Friend lists, PagesTicker Ads&SuggestionsChat Newsfeed67 Facebook Concerns PrivacyLoss of control Service and Content ProviderCompetitors GoogleTwitterYahooWhatsapp, WeChat, Snapchat, Pinterest, 68 Facebook References www.facebook.comdevelopers.facebook.com69 Facebook Platform Practical Work Create your Facebook accountActivate your developer account Try to create an applicationPrepare your phone to receive SMS conrmation if your Facebook account is not yet a "veried" account.https://developers.facebook.com70 FacebookPlatform Facebook Platform A social operating system Access data in FacebookDevelop and test applications on top of Facebook APIsMonitor application usageFor: Applications on FacebookExternal websitesDevice and Mobile apps 72 Facebook Platform APIs Graph APIIframesFQLLog in with FacebookReal-time UpdatesOpen Graph ProtocolAuthenticationSocial Plugins 73 Facebook Platform Terms & Conditions Its free!You cannot cache Facebooks data as you wantYou cannot re-create social graphYou cannot use Facebooks data for adsFacebook has the right to blacklist your applicationits free! 74 Facebook Platform API Limitations Cant invite friendsCant conrm, ignore, or delete friendshipCant post to another users timelineCant get friends phones or e-mailsCant send private message to peopleCant be notied on all kind of eventsCant read the full graph : no friends of friendsCant get social graph ranking (interactions)Cant search through Graph Search APIAPI Rate Limits: https://developers.facebook.com/docs/reference/ads-api/api-rate-limiting/#userlimit 75 Facebook Platform Creating and Conguring an Application Facebook Platform Creating an application Basic SettingsYour Application Identier a.k.a. API KeyYour Application Secret a.k.a. Client Secret !Very important: needed for authentication77 Facebook Platform Conguring an application Basic SettingsVeried when adding your app.78 Facebook Platform Conguring an application RolesAdministrators: complete access !Developers: can modify settings but cannot reset secret key, manage users, or delete app !Testers: can test the application in sandbox mode but cannot modify the application !Insight Users: can access analytics but cannot modify the application79 Facebook Platform Conguring an application Advanced SettingsMonitor and track changes of your app settings.Security settings are very important to avoid hackers to spoof your FB app. 80 Facebook Platform Conguring an application Status & ReviewWhen not live, the app is said to be in "Sandbox mode":only administrators, developers, and testers can install and use your app.81 Facebook Platform Practical Work Log on you Facebook accountCreate your own applicationCreate a test userLog with the test user and back to your accountCreate and use Chrome proles to switch between accounts82 FacebookAuthentication & Authorization Facebook Authentication & Authorization Login with FacebookWhen you click this button, it give permissions to a FB application: If not, prompt them to do so through a Login dialogSecure codes are exchanged to conrm identityIt rst checks whether someone is already logged inIf conrmed, an access token is retrievedThe apps developer will then use the access token to interact with Facebook on behalf of the user. 84 Facebook Authentication & Authorization Security Model Based on oAuth 2.0 Access token and HTTPSPermissions Protect every piece of Facebook dataUnder users review and control during application approval85 Facebook Authentication & Authorization Access Tokens User Access Token To read/write on behalf of a FB user Interactive login dialogApp Access Token To read/write on behalf of a FB application Server-to-server callPage Access Token To read/write on behalf of a FB page Obtained through Graph API with a valid user access tokenClient Token Native mobile or desktop apps to access limited data on behalf of a FB application.Rarely used. 86 Facebook Authentication & Authorization User Access Token UniqueAssociated to a scope (permissions) Dene the usage boundsShort-lived ~1 hour, or Long-lived ~60 days Short-lived mainly used for web applicationsLong-lived obtained from short-livedLong-lived mainly used for native mobile apps and server-sideAutomatic with SDK for Javascript, iOS, and Android. 87 Facebook Authentication & Authorization Permissions Facebook Authentication & Authorization Permissions User Permissions user_about_meuser_friendsuser_photosuser_actions.booksuser_games_activityuser_questionsuser_actions.musicuser_groupsuser_relationship_detailsuser_actions.newsuser_hometownuser_relationshipsuser_actions.videouser_interestsuser_religion_politicsuser_activitiesuser_likesuser_statususer_birthdayuser_locationuser_subscriptionsuser_checkinsuser_notesuser_videosuser_education_historyuser_online_presenceuser_websiteuser_eventsuser_photo_video_tagsuser_work_history 89 Facebook Authentication & Authorization Permissions Friends Permissions friends_about_mefriends_games_activityfriends_questionsfriends_actions.booksfriends_groupsfriends_actions.musicfriends_hometownfriends_relationship_detail sfriends_relationshipsfriends_religion_politicsfriends_statusfriends_subscriptionsfriends_videosfriends_website friends_actions.news friends_actions.video friends_activities friends_birthday friends_checkins friends_interests friends_likes friends_location friends_notes friends_online_presencefriends_education_historyfriends_photo_video_tagsfriends_eventsfriends_photos 90 Facebook Authentication & Authorization Permissions Extended Permissions ads_managementphoto_uploadread_streamads_readpublish_actionsrsvp_eventcreate_eventpublish_checkinsshare_itemcreate_notepublish_streamsmsemailread_friendlistsstatus_updateexport_streamread_insightsvideo_uploadmanage_friendlistsread_mailboxxmpp_loginmanage_noticationsread_page_mailboxesmanage_pagesread_requests 91 Facebook Authentication & Authorization Sending Requests Facebook Authentication & Authorization Sending Requests ExampleUsing HTTPS (TLS) protects the request information.GET https://graph.facebook.com/me?access_token=CAAKzZBdx5dcABAIA9QAccess token is a secret value to include as a query parameter attached to the HTTP request93 Facebook Authentication & Authorization Sending Requests from Server with Enhanced Security App Secret Proof Hackers can steal access token client-side or server-side Client malware Server attacksUsing App Secret Proof makes this harder server-side Activate in application dashboard under advanced settings: !Access token integrity and authentication is now veried by Facebook. 94 Facebook Authentication & Authorization Sending Requests from Server with Enhanced Security Computing App Secret Proof Add query parameter to all of your server-side requestsappsecret_proof = HMAC-SHA256(key, message) HMAC-SHA256 = Hash Message Authentication Codekey = {app_secret}message = {access_token}95 Facebook Authentication & Authorization Sending Requests from Server with Enhanced Security Examplehttps://graph.facebook.com/me?access_token=CAAKzZBdx5dcABAIAjZBs9Q &appsecret_proof=Compute and add this query parameter to every request.96 Facebook Authentication & Authorization Client-side User Authentication Facebook Authentication & Authorization Step 1 - Login Dialog (Browser) GET (In Browser) https://www.facebook.com/dialog/oauth? client_id=760835680597440 &redirect_uri=http%3A%2F%2Ffabrice.delhoste.com%2F &response_type=token &scope=read_stream,user_friends,status_update Read Publish Application Id Set to the value dened in app dashboard Request for access token(client-side) This is a short-lived access token (~2 hours).URL fragment id # are NOT sent to server. Set to"Only me"in paranoa modehttp://fabrice.delhoste.com#access_token=CAAKzZBdx5dcABABBHv8vXR1 &expires_in=6258 98 Facebook Authentication & Authorization Step 2 - Convert short-lived to long-lived access token (optional) GET https://graph.facebook.com/oauth/access_token? client_secret=9e4461c0364f179e6c9f12adf16b7cc9 &client_id=760835680597440 &grant_type=fb_exchange_token &fb_exchange_token=CAAKzZBdx5dcABABBHv8vXR1Application Secret This is short-lived access token obtained previously obtained.This is long-lived access token (~60 days).access_token=CAAKzZBdx5dcABAM8oQG1ivoyBZBC9 &expires=5181099 99 Facebook Authentication & Authorization Review Users application Settings (1)You can nd more here100 Facebook Authentication & Authorization Review Users application Settings (2)Use "Only me" when in doubtPermissionsDetect unusual activity or simply purge unused apps.101 Facebook Authentication & Authorization Server-side User Authentication Facebook Authentication & Authorization Step 1 - Login Dialog (Browser) GET (In Browser) https://www.facebook.com/dialog/oauth? client_id=760835680597440 &redirect_uri=http%3A%2F%2Ffabrice.delhoste.com%2F &response_type=code &scope=read_stream,user_friends,status_update Read Publish Application Id Set to the value dened in app dashboard Request for code(server-side) Can be used once and expires shortly. Set to"Only me"in paranoa modehttp://fabrice.delhoste.com/? code=AQCtOF4xjIObCApYPFsTwMy2AumKjEi2fw97az7UMBVrhSH-r59SLS 103 Facebook Authentication & Authorization Step 2 - Exchange code for long-lived access token GET https://graph.facebook.com/oauth/access_token? Application client_id=760835680597440 Secret&redirect_uri=http%3A%2F%2Ffabrice.delhoste.com%2F &client_secret=9e4461c0364f179e6c9f12adf16b7cc9 &code=AQCtOF4xjIObCApYPFsTwMy2AumKjEi2fw97az7UMBVrhSH-r59SLSclient_secret is the Application Secret.Server-side only (security).Never, ever, put app-secret in client !code.Because we use "code" conrmation supposed to be used for server-side, this is longlived access token associated to the user, the application, and the requested permissions.(~60 days)access_token=CAAKzZBdx5dcABALYm0KZBcPSm2oVepJ8MZ &expires=5181609 104 Facebook Authentication & Authorization Server-side Application Authentication Facebook Authentication & Authorization Step 1 - Login Dialog (Browser) GET (in Browser) https://graph.facebook.com/oauth/access_token? client_id=760835680597440 &client_secret=7bdde89123d51317e6bd7e644d5202fd &grant_type=client_credentialsApplication Id Application Secret access_token=760835680597440|MeOsSs6rIfH0SolW53nJnG8Atzs 106 Facebook Authentication & Authorization Debugging Tokens Facebook Authentication & Authorization Debugging Tokens Tool108 Facebook Authentication & Authorization Debugging Tokens API GET https://graph.facebook.com/debug_token? input_token=CAAKzZBdx5d &access_token=CAAKzZBdx5dcABThe token to debug.{ "data": { "error": { "message": "Error validating access token: Session does not match current", "code": 190, "subcode": 460 }, "app_id": 760835680597440, "is_valid": false, "application": "Training API", "user_id": 702008335, "expires_at": 0, "scopes": [ "read_stream", "status_update", "user_friends", ] } } 109 Facebook Authentication & Authorization Graph API Explorer Authenticate and Explore Facebook API easily Facebook Authentication & Authorization Graph API Explorer Features Facebook Authentication & Authorization Graph API Explorer Permissions Facebook Authentication & Authorization Open Graph Debugger Facebook Authentication & Authorization Access Token Tool Facebook Authentication & Authorization Practical Work In Postman and your browser, build a "FB Auth" collection of HTTP requests to: Get long-lived client-side access token with permissions to get all birthdaysGet server-side access token with permissions to read the newsfeed, publish status and photosDebug those tokens115 FacebookGraph API Facebook Graph API ? Doc: https://developers.facebook.com/docs/graph-api/referenceEndpoint: https://graph.facebook.com/Get data in and out of Facebooks social graph. ReadPublishUpdateDeleteSearch 117 Facebook Graph API Overview Object-oriented Every object has a unique identierConnectionsAll data returned as JSON objectsObjectsObjects : https://graph.facebook.com/{ID} https://graph.facebook.com/25465437753Objecthttps://graph.facebook.com/fabricedelhosteConnections : https://graph.facebook.com/me/{connection} https://graph.facebook.com/25465437753/friendshttps://graph.facebook.com/me/friends 118 Facebook Graph API Root ObjectsAchievementEventOfferQuestionAlbumFriendListOrderQuestionOptionApplicationGroupPageReviewCheckinInsightsPaymentCommentLinkPhotoStatus messageDomain ErrorsMessage NotePictures PostThread User Video 119 Facebook Graph API Reading GET HTTP requestDifferent permissions applied to objects/elds/connections Access token required for most of personal dataResponse:{ ! "fieldname": {field-value}, ! }! Special object: /me : its me in the social graph ! 120 Facebook Graph API Reading a public object GET https://graph.facebook.com/markzuckerberg{ "id": "4", "name": "Mark Zuckerberg", "first_name": "Mark", "last_name": "Zuckerberg", "link": "https://www.facebook.com/zuck", "username": "zuck", "hometown": { "id": "105506396148790", "name": "Dobbs Ferry, New York" }, "location": { "id": "104022926303756", "name": "Palo Alto, California" }, "bio": "I'm trying to make the world a more open place.", "quotes": ""Fortune favors the bold."rn- Virgil, Aeneid X.284rnrn"All children are artists. The problem is how to remain an artist once you grow up." rn- Pablo Picassornrn"Make things as simple as possible but no simpler."rn- Albert Einstein", "work": [ { "employer": { "id": "20531316728", "name": "Facebook" }, Vanity nameorUID (User Id)No access token needed for public objectsBy default, every eld are returned.121 Facebook Graph API Introspection GET graph.facebook.com/markzuckerberg?metadata=1{ "id": "4", "name": "Mark Zuckerberg", "first_name": "Mark", "metadata": { "connections": { "home": "https://.../home?access_token=CAAKz", "feed": "https://.../feed?access_token=CAAKz", "friends": "https://.../friends?access_token=CAAKz", "mutualfriends": "https://.../mutualfriends?access_token=CAAKz", "family": "https://.../markzuckerberg/family?access_token=CAAKz", "fields": [ { "name": "id", "description": "The user's Facebook ID" }, { "name": "name", "description": "The user's full name }, 122 Facebook Graph API Selecting elds/connections GET https://graph.facebook.com/me/friends?access_token= &fields=name,birthday{ }"data": [ { "name": "Eric Therene", "birthday": "12/22/1968", "id": "1027414115" }, { "name": "Jeremy Marois", "birthday": "01/23/1990", "id": "1329818667" }, ]Can lter elds AND connections123 Facebook Graph API Global Limit GET https://graph.facebook.com/me/albums?access_token= &limit=5{ "id": "702008335", "albums": { "data": [ { "id": "10151819411378336", "from": { "name": "Fabrice Delhoste", "id": "702008335" }, "name": "Instagram", "link": "https://www", "cover_photo": "10151819411413336", "privacy": "everyone", "count": 10,My last 5 photo albums 124 Facebook Graph API Field Limit GET https://graph.facebook.com/me?access_token= &fields=albums.limit(5){ "id": "702008335", "albums": { "data": [ { "id": "10151819411378336", "from": { "name": "Fabrice Delhoste", "id": "702008335" }, "name": "Instagram", "link": "https://www", "cover_photo": "10151819411413336", "privacy": "everyone", "count": 10,My last 5 photo albumsSame as previous. 125 Facebook Graph API Mixing elds and limits GET https://graph.facebook.com/me?access_token= &fields=albums.limit(5).fields( name, photos.limit(1).fields( name, picture ) ) { "id": "702008335", Name and picture of each "albums": { rst photo of my last 5 "data": [ photo albums. { "name": "Instagram", "id": "10151819411378336", "created_time": "2013-07-25T08:49:09+0000", "photos": { "data": [ { "name": "Mod", "picture": "https://fbcdn, 126 Facebook Graph API Cursor-based Pagination Cursor-based Cursor marks an invariant point in a list of data Preferred pagination (consistent even if objects have been created or deleted in the meantime you got the page)Not currently supported among all object types Supported: photos, albums, links, notes, admins, comments, likes, 2 request parameters: before, after 127 Facebook Graph API Cursor-based Pagination GET https://graph.facebook.com/283864466145_10151727303376146/likes{ "data": [ Get likes of this page post id. { "id": "1018544972", "name": "Tyrion Lannister" }, { "id": "100000974199494", Before (or after) is always included."name": "Cersei Lannister" }, Useful to poll for updates. "paging": { "cursors": { "after": "MTMwMjc5OTMxOQ==", Include link to paginate. "before": "MTAxODU0NDk3Mg==" }, "next": "https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25&after=MTMwMjc5OTMxOQ%3D%3D" } } 128 Facebook Graph API Cursor-based Pagination GET https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25 &after=MTMwMjc5OTMxOQ%3D%3D {!"data": [ { "id": "1018544972", "name": "Tyrion Lannister" }, Moving forward"paging": { "cursors": { "after": "MTU4NDc4MjE4MQ==", "before": "MTM5NjgxODI0OA==" }, "previous": "https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25&before=MTM5NjgxODI0OA%3D%3D", "next": "https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25&after=MTU4NDc4MjE4MQ%3D%3D" } } 129 Facebook Graph API Offset-based Pagination Offset-based Supported by all objectsCan be combined with other type of paginationMarks an offset point and a number of objects in a list of dataUsed when chronology is useless2 request parameters: limit, offset130 Facebook Graph API Offset-based Pagination https://graph.facebook.com/me/friends?access_token= &limit=10 &offset=10Get friend number at current indexes [10-20] { "data": [ { "name": "Luke Skywalker", "id": "100004245228110" } ], "paging": { "next": "https://graph.facebook.com/702008335/friends? limit=10&offset=20&access_token=CAAKzZB...&__after_id=739453773", "previous": "https://graph.facebook.com/702008335/friends? limit=10&offset=0&access_token=CAAKzZB...&__before_id=695205969" }} 131 Facebook Graph API Time-based Pagination Time-based Timestamps pointing to specic times in a list of data Less accurate than Cursor2 request parameters: since, until132 Facebook Graph API Time-based Pagination https://graph.facebook.com/me/home?access_token= &limit=5Usage of since and until expressed as number of seconds since January 1 1970 00:00:00 UTC { "data": [ { "name": "Luke Skywalker", "id": "100004245228110" } ], "paging": { "previous": "https://graph.facebook.com/702008335/home? limit=5&access_token=CAAK...&since=1386678619&__previous=1", "next": "https://graph.facebook.com/702008335/home? limit=5&access_token=CAAK...&until=1386675900" }} 133 Facebook Graph API Multiple objects at once https://graph.facebook.com/?access_token= &ids=4,5,6 &fields=username{ "4": { "username": "zuck", "id": "4" }, "5": { "username": "ChrisHughes", "id": "5" }, "6": { "username": "moskov", "id": "6" } } 134 Facebook Graph API Date & Locale Dates Add "date_format" request parameter to overrideBy default, ISO-8601Syntax: http://php.net/manual/en/function.date.phpLocale Add "locale" request parameter to override default Syntax: https://www.facebook.com/translations/FacebookLocales.xmlFor further information: https://developers.facebook.com/docs/reference/api/dates/https://developers.facebook.com/docs/reference/api/locale/ 135 Graph API Publishing POST HTTP requestAccess token required with right permissionsExamples Post a status or a pictureLike somethingPost comments136 Graph API Publishing Basic Example POST https://graph.facebook.com/me/feed?access_token= &message=This is a default message.Every object:https://developers.facebook.com/docs/graph-api/reference{ "id": "702008335_10152142129743336" } 137 Graph API Publishing Post a like POST https://graph.facebook.com/702008335_10152142129743336/likes? access_token=Like is a special case: it has no id.true 138 Graph API Publishing Privacy Add "privacy" parameter to post requests Application privacy setting sets the ceiling for this value Ex: if app is dened at FRIENDS, posting to public is not allowed).Privacy can be set to: ALL_FRIENDS: direct friendsFRIENDS_OF_FRIENDS: level 2SELF : only me can see this (useful to test on real accounts)EVERYONE: publicCUSTOM: in this case, it is possible to ne-tune (like with web interface)Only applies to Posts to the users own timeline (ex: not applied to events) 139 Graph API Publishing Privacy Settings140 Graph API Publishing Posting to friends POST https://graph.facebook.com/me/feed?access_token= &privacy={"value":"ALL_FRIENDS"} &message=This is a message to all of my friends.{ "id": "702008335_10152142129743336" } 141 Graph API Publishing Posting to Friends except a friend list POST https://graph.facebook.com/me/feed?access_token= &privacy={ "value":"CUSTOM", "allow":"ALL_FRIENDS", "deny":"10150382806413336,10150382789648336"} &message=This is a message with custom privacy.These are ids of "acquaintances" and "family" friend lists. ! This can also be user ids to exclude specic people.{ "id": "702008335_10152142133908336" } 142 Graph API Publishing Photos 2 ways: Upload photo to the apps album or an existing one Create the apps album if necessary. Albums name is App name + Photos.Publish an existing web photo Just from its URL143 Graph API Example - Publishing Photos (upload) POST https://graph.facebook.com/me/photos?access_token= &privacy={"value":"ALL_FRIENDS"} &message=Great city.! content-type: multipart/form-data; boundary=WebKitFormBoundaryV WebKitFormBoundaryV Content-Disposition: form-data; name="source"; filename="marseille.jpg" Content-Type: image/jpeg! Id of the photo object.Id of the post object.HTTP Multipart request.Behind the scene (Postman will send this).{ "id": "10152142262128336", "post_id": "702008335_10152142255908336" } 144 Graph API Example - Publishing Photos (web) POST https://graph.facebook.com/me/photos?access_token= &privacy={"value":"ALL_FRIENDS"} &message=Great city. &url=https://www.google.fr/images/srpr/logo11w.pngFacebook will download the photo.Id of the photo object.Id of the post object.{ "id": "10152142286438336", "post_id": "702008335_10152142255908336" } 145 Graph API Updating POST HTTP requestOver simple: elds and value to updateSame permissions as publishing146 Graph API Updating Basic Example POST https://graph.facebook.com/702008335_10152143278443336?access_token= &message=This is a modified message.Simply POST to the object.Cannot update everything (ex: privacy)true 147 Graph API Deleting DELETE HTTP requestAccess token required with permissions.Alternative: POST with "method=delete" parameter148 Graph API Deleting Basic Example DELETE https://graph.facebook.com/702008335_10152143278443336?access_token=! or! POST https://graph.facebook.com/702008335_10152143278443336?access_token= &method=deletetrue 149 Graph API Deleting Delete a like DELETE https://graph.facebook.com/702008335_10152143302288336/likes?access_token=Remember : like is not a root object.true 150 Graph API Searching GET /search?q=Access token required Pages & places: app access token Others: user access tokenNo public Graph Search API yet Example: "My friends that play Candy Crush Saga"151 Graph API Searching Searchable Types PostGroupUserCheckinPagePlaceEventLocation! !152 Graph API Searching Example GET https://graph.facebook.com/search?access_token= &q=fabrice delhoste &type=user{ "data": [ { "name": "Fabrice Delhoste", "id": "702008335" } ], "paging": { "next": "https://graph.facebook.com/search? type=user &q=fabrice+delhoste &access_token=CAAK &limit=5000 &offset=5000 &__after_id=702008335" }} 153 Facebook Graph API Batch Group requests togetherMore efcientSeveral Graph API calls in a single HTTP request154 Facebook Graph API Batch A set of HTTP requests/responses as JSON array Can mix up to 50 requests with different access tokens or single shared access tokenGET, POST, and DELETE supported.Multipart attachments (ex: photos)Can depend on each other thanks to JSONPath Selectively extract data from JSON structure with JSONPath subset. JSONPath is a JSON query language. See http://goessner.net/articles/JsonPath/Timeouts : null response (all or part) in JSON response 155 Facebook Graph API Batch Basic Example POST https://graph.facebook.com/?access_token= Post to root / batch=[ { "method":"POST","relative_url":"me/feed", "body":"message=Happy"}, { "method":"GET", "relative_url":"me/feed?limit=1"} batch = HTTP Request Body ]Post a status and read it immediately after (assuming no concurrent status). [ { "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, ], "body": "{n "id": "702008335_10152143594348336"n}"}, { "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, ], "body": "{n "data": [n {n "id": "702008335_643 }n}"} ] 156 Facebook Graph API Batch Messy Example POST https://graph.facebook.com/?access_token= batch=[ { "method":"POST","relative_url":"me/feed", "body":"message=Happy%26privacy=%257B%2522value%2522%253A%2522SELF%2522%257D"}, { "method":"GET", "relative_url":"me/feed?limit=1"} ][ {Double URL-encoding needed !!!"code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, ], "body": "{n "id": "702008335_10152143594348336"n}"}, { "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, ], "body": "{n "data": [n {n "id": "702008335_643 }n}"} ] 157 Facebook Graph API Batch Advanced ExampleBy default, responses from request used as a dependency (here ) are not returned to avoid overhead.omit_response_on_success forces response.POST https://graph.facebook.com/?access_token= batch=[!! !{ "method":"GET", "relative_url":"me/friends", "name":"friends", "omit_response_on_success":false },{"method":"GET", "relative_url":"?ids={result=friends:$.data.*.id}" }]JSONPath expression.Syntax: {result=requestname:}158 Facebook Graph API Errors{ "error": { "message": "Message describing the error", "type": "OAuthException", "code": 190 , "error_subcode": 460 } }No ocial full documentation for error codes !!!https://developers.facebook.com/docs/graph-api/using-graph-api/#errorsGoogle is your friend. 159 Facebook Graph API Old REST API Before Graph APIAbsolutely not RESThttps://api.facebook.com/method/{methodname}DeprecatedStill in use in some apps.160 Facebook Graph API Practical Work In Postman, create a new collection named "FB Graph API" and build HTTP requests to: Get your proleGet the birthday of one of your friendGet all of your friends birthdayGet 3 friend proles at onceGet your 10 rst friendsGet list from friend number 10 to friend number 20 161 Facebook Graph API Practical Work Get the photos of this albumCreate a photo album with privacy SELFAdd a web photo to this albumPost a message with custom privacy (allow/deny some testers)Like this postGet this post metadata162 Facebook Graph API Practical Work Get this post likesDelete this likeGet your home newsfeed (homepage recent stream)Get the messages of 50 latest newsfeed posts with their 3 last comment messagesRun a full text search for a pattern in your newsfeed retrieving only the message of the 5 rst matches163 Facebook Graph API Practical Work Create a secret eventIntrospect this eventInvite other testers to this eventAsk one of the testers to attend the eventGet the list of attendees164 Facebook Graph API Practical Work Upload a photo to this event with a short messageGet the event feedDelete this eventWrite a batch request to create and invite to an event at the same time165 FacebookFacebook Query Language (FQL) Facebook Query Language (FQL) https://developers.facebook.com/docs/reference/fqlLimited SQL subset One table, no JOIN, no LIKE, no COUNT(*), no GROUP BY, no star for multiple columns *,More power than Graph API Better ltering option Access to more information (ex: friend requests)Read-only virtual private database !Facebook actually exposes a database with more than 1 billion users ! 167 Facebook Query Language (FQL) Tables album app_role application apprequest checkin column comment comments_info connection cookies developer domain domain_admin event event_member family friend friend_request friendlist friendlist_member group group_member insightslike link link_image_src link_stat location_post mailbox_folder message note notication object_url offer page page_admin page_blocked_user page_fan page_global_brand_child page_milestone permissions permissions_info photo photo_src photo_tag placeprivacy privacy_setting prole prole_pic prole_tab prole_view question question_option question_option_votes review score square_prole_pic square_prole_pic_size standard_friend_info standard_user_info status stream stream_lter stream_tag subscription table thread translationunied_message unied_message_count unied_message_sync unied_thread unied_thread_action unied_thread_count unied_thread_sync url_like user video video_tag168 Facebook Query Language (FQL) Query Syntax select_expr can be a eld or a function of a eld.Cannot use * (star)Only 1 tableOnly 1 order by expressionOset-based PaginationSELECT select_expr [, select_expr ...] FROM table_reference WHERE where_condition [ORDER BY {col_name | expr | position} [ASC | DESC]] [LIMIT {[offset,] row_count | row_count OFFSET offset}]where_condition is composed of: ! Logical operators: OR, AND, NOT IN (subquery)IN (expr [, expr] )= != < > =+ - * /Grouping with parenthesis ()Functions (next slides) 169 Facebook Query Language (FQL) Sending FQL Query https://graph.facebook.com/fql?access_token= &q=SELECT name FROM user WHERE uid=me()Obviously, the query must be URLencoded (not here for readability)me() is the user authenticated by the access_tokenJSON result:array of objects enclosed in data { "data": [ { "name": "Tyrion Lannister" } ] } 170 Facebook Query Language (FQL) Subqueries My friends and me with our square pictureSELECT name, pic_square FROM user WHERE uid = me() OR uid IN (SELECT uid2 FROM friend WHERE uid1 = me())User Id is IN the result of the nested query171 Facebook Query Language (FQL) PaginationSELECT name FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=me()) LIMIT 1010 rst friends172 Facebook Query Language (FQL) PaginationSELECT name FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=me()) LIMIT 10,1010 next friends ! Identical toLIMIT 10 OFFSET 10173 Facebook Query Language (FQL) Sending multiple queries at once GET https://graph.facebook.com/fql?q={ "query1": "SELECT uid, rsvp_status FROM event_member WHERE eid=219790564859590", "query2": "SELECT name, url, pic FROM profile WHERE id IN (SELECT uid FROM #query1)" }#query1 is a reference to the results of rst query (named "query1"). Use hash symbol to reference.Name your queries {Query 1: get the members invited to an event (12345678)Query 2: get the prole details of the attendees"data": [ { "name": "query1", "fql_result_set": [{"uid":702008335,"rsvp_status": "attending" } ]}, { "name": "query2", "fql_result_set": [ { "name": "Fabrice Delhoste", "url": "https://www.facebook.com/fabricedelhoste", "pic": "https://fbcdn-profi" } ] } ] }174 Facebook Query Language (FQL) Data Types stringunsigned int32boolstructarrayobjectidnumbertimestamplistint32 175 Facebook Query Language (FQL) Indexable Columns Every table has one or more index-able columnsIMPORTANT: FQL query MUST have at least one index-able column in WHERE clause.Marked with "magnier" icon in FQL reference documentation176 Facebook Query Language (FQL) Functions me(): guess who?now(): guess when?rand(): random numberconcat(, ): concatenatestrlen(string): length of string177 Facebook Query Language (FQL) Functions substr(string, start, length): substringstrpos(haystack, string): search string in haystack Use it to achieve "LIKE"upper(string): convert string to uppercaselower(string): convert string to lowercasedistance(latitude, longitude, "oat", "oat"): used for geolocation 178 Facebook Query Language (FQL) Functions SELECT concat(substr(first_name,0, 1), substr(last_name, 0, 1)) FROM user WHERE uid IN ( SELECT uid2 FROM friend WHERE uid1 = me())Returns all friends initials.anon is the result of the function{ "data": [ { "anon": "TL" }, { "anon": "JS" }, 179 Facebook Graph API Practical Work In Postman, create a collection named "FB FQL" and build HTTP requests to: Get my prole (hometown, birthday, )Get my last statusGet all of my eventsGet all photos Im tagged intoList friends sorted by their name lengthSearch friend from a patternFind and order the 10 friends with highest number of mutual friendsFind name of online friends 180 Facebook Graph API Practical Work Get your unread notications (simulate them)Get pages and their number of fans Im following (look to connection table)Get all photos from latest modied album from most recent to oldestFind name of all friends but familyFind all singles out of your friendsWrite a batch that nds singles and post "Hello" concatenated with all of their rst namesGet latest one-week photos from all of your friends (most recent rst)Get each friend list your friends belongs to (for each friend) 181 FacebookDeveloper Tools Test Users Facility to create fake users for testing purposes Facebook Developer Tools Test Users? https://developers.facebook.com/docs/test_users/Used for development and debugging purposesTest Users = Fake Users Avoid confusing with Testers = Real Users !!! Invisible, no interaction with real users2000 test users per app max.184 Facebook Developer Tools Test Users Creating and Deleting Test Users (GUI)Testers = Real UsersTest Users = Fake Users Facebook Developer Tools Test Users Getting Test Users GET https://graph.facebook.com/760835680597440/accounts/test-users? access_token=App access token{ "data": [ { "id": "100007272790057", "access_token": "CAAKzZBdx5", "login_url": "https://www.facebook.com/platform/ test_account_login.php?user_id=100007272790057&n=FlFJkyssketSX9Y" }, } 186 Facebook Developer Tools Test Users Creating a test user (API) GET https://graph.facebook.com/760835680597440/accounts/test-users? &access_token= app id &name=Tyrion Lannister &locale=en_US &installed=true &permissions=read_stream Is the application installed to this user at creation? &method=post If installed=true, these are the permissions given to the application.login_url allows direct login (no password).{ "id": "100007176673155", "email": "tyrion_jihlktz_lannister@tfbnw.net", "access_token": "CAAKzZBdx5", "login_url": "https://www.facebook.com/platform/ test_account_login.php?user_id=100007176673155&n=tR7yCoyWqEw1Wfu", "password": "1890805985" } 187 Facebook Developer Tools Test Users Deleting a test user https://graph.facebook.com/100007176673155? access_token=User access token or app access tokentrue 188 Facebook Developer Tools Test Users Update Test Users username and password GET https://graph.facebook.com/100007176673155? &access_token= &password=thrones &name=Cersei Lannister &method=posttrue 189 Facebook Developer Tools Test Users Making Friends POST (friend request) https://graph.facebook.com/100007176673155/friends/100007272790057? access_token=! then! POST (friend confirmation) https://graph.facebook.com/100007272790057/friends/100007176673155? access_token=User access token (the user to add friend to)true 190 Facebook Developer Tools Test Users Adding test users to other apps GET https://graph.facebook.com/APP_ID/accounts/test-users? installed=true &permissions=read_stream &uid=TEST_USER_ID &owner_access_token= &access_token= &method=postApp access token to add the user fromApp access token to add the user totrue 191 Facebook Developer Tools Test Users Practical Work In Postman, create a "FB Test Users" collection where you build HTTP requests to: Create 3 test users: Bob, Joe, and LarryMake Bob friend with JoeRequest Larry to be friend with JoeUse Graph API Batch to get friends and friendrequestsUse Graph API Batch to delete them all 192 Facebook Support & Maintenance Roadmap developers.facebook.com/roadmap/Review frequently.194 Breaking Changes and Migration Policy 90-day breaking change policy.Breaking change automatically enabled for new apps.Recommendation: asap !TODO : App Dashboard / Migration195 Platform Status developers.facebook.com/live_status/ JSONEventsHistory 196 Bugs developers.facebook.com/bugs/Subscribe to bugs(email alert)Communicate with FacebookProblem description197 Beta Tier developers.facebook.com/docs/support/beta-tier/Desktop: www.beta.facebook.comMobile Web: m.beta.facebook.comApps in Canvas: apps.beta.facebook.comGraph API: graph.beta.facebook.comCode changes: Beta on Sunday evenings (Pacic time)Production on Tuesday evenings 198 Stay tuneddevelopers.facebook.com/blog@FacebookDevRel @fb_engineering 199 FacebookChat API Facebook Chat API https://developers.facebook.com/docs/chat/XMPP eXtensible Messaging and Presence Protocol Custom with limitations. Ex: authentication, presence, Use one of the numerous XMPP client framework Ex: Smack in Java Not (yet?) covered in this course. 201 FacebookOpen Graph Open Graph Object and Action Model Facebook internal graph have limited interactions Open Graph turns any web page into an objectObject and Action modelNot (yet?) covered in this course. 203 FacebookReal-time Updates Facebook Realtime Updates Push model Subscribe to data changes vs Polling modelFacebook calls your server with POST requestCaching data Ex: synchronize friend information205 Facebook Realtime Updates Publicly Supported Objects User Limited to: feed, friends, activities, interests, music, books, movies, television, likes, checkins, location, events.PermissionsPayments and Payment SubscriptionsErrorsPage Limitations 206 Facebook Realtime Updates Dashboard With recent new dashboard, FB removed the panel !!! Workaround: https://developers.facebook.com/apps/{appId}/ realtime?ref=nav207 Facebook Realtime Updates Dashboard208 Facebook Realtime Updates How to proceed 3 steps Register your server (dashboard or API)Respond correctly to a ping GET requestStarts listening for POST requests209 Facebook Realtime Updates API https://graph.facebook.com/{appId}/subscriptionsListing subscriptions : GETAdding or modifying subscriptions : POST Query parameters: callback_url : our server endpointelds : a comma-separated list of object properties to be updated aboutobject : the object to be updated aboutverify_token : a verify token sent to our serverWill send GET request to callback_url in order to validate your serverDeleting subscriptions : DELETE 210 Facebook Realtime Updates Your Callback Server Two endpoints needed: Subscription Verication Receiving UpdatesHTTPS preferred211 Facebook Realtime Updates Your Callback Server Subscription Verication Query parameters hub.challenge: randomhub.mode : "subscribe"hub.verify_token: dened at subscriptionVerify hub.verify_token Check origin is FacebookReturn hub.challenge in the response Prevents DDoS 212 Facebook Realtime Updates Your Callback Server Subscription Verication http://mycallbackserver.com/?hub.mode=subscribe &hub.challenge=677173267 &hub.verify_token=thisismeVerify the token. If OK, echoes the challenge back to Facebook to validate the registration.677173267 213 Facebook Realtime Updates Your Callback Server Receiving Updates JSONNo content, only notication about content Request needed to get details (Graph API or FQL)Example: notied about changes to friends eldBatch updates: possibly multiple notications at onceRetry policyPayload signed in HTTP header SHA-1 Signature in HTTP header named X-Hub-Signature 214 Facebook Realtime Updates Your Callback Server Receiving Updates POST http://mycallbackserver.com/! { }"object":"user", "entry":[ { "uid":"100001555554986", "id":"100001555554986", "time":1387128215, "changed_fields":["hometown"] } ]Heres the elds that have been updated. If you need details, you can use Graph API or FQL.215 Facebook Realtime Udates Practical Work If this is possible for your network (NAT, tunnel, reverse proxy), implement a Java servlet: Responding to RTU pingSimulate and start receiving updates for user updates such as hometown Bonus: verify signature :-)Get the users new hometownRegister it to RTUIn Postman, create a HTTP Collection named "RTU Facebook" Write all HTTP requests to subscribe/unsubscribe/list RTU 216 Twitter TwitterOverview Twitter Founded in 2006 Jack Dorsey, Evan Williams, Biz Stone, and Noah Glass 232 million monthly active users. 100 million daily active users. 176 million mobile users. More than 340 millions tweets daily.219 Twitter? Social network and microbloggingReal-time information networkAd networkSearch engineIdentity provider across the web and mobile apps220 Twitter Features Tweet (140 chars message)MentionTimelineListsFollowDirect MessageFavoriteSearch and DiscoverTrending topicsTwitter CardsRetweetTwitter buttonsHashtag 221 Twitter Features InteractionsFollowing&FollowersPersonalized ContentProleDirect MessageGo to SettingsPost a tweetSearch SuggestionsHome TimelineTrends Twitter Tweet? Twitter accountText Hyperlink MentionHashtag Tweet to replyCopy/paste to your followersMark as favorite Twitter Concerns SustainabilityCompetitors FacebookGoogleWhatsapp?224 Twitter References www.twitter.comdev.twitter.com225 TwitterPlatform Twitter Platform? A real-time messaging infrastructure Develop applications on top of Twitter APIs Access data in TwitterFor: External websitesDevices and Mobiles apps227 Twitter Platform APIs Current release: 1.1REST API Poll-based system - pseudo real-timeStreaming API Long-lived real-time connectionsAuthentication: mostly oAuth 1.0JSON 228 Twitter Platform ObjectsMetadata and contextual information(extracted hashtags, urls, media, mentions, ) 229 Twitter Platform Objects Tweets {https://dev.twitter.com/docs/platform-objects/tweetsBeware of the accuracy on id (ex: in "created_at": "Sun Dec 15 12:13:22 +0000 2013", "id": 412193666464489472, Javascript). Prefer id_str if they are dierent. "id_str": "412193666464489472", "text": "The old adage that "People are hired for their talents and fired for their behavior" is true. http://t.co/evY73iGtyI", "source": "SocialFlow", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, Contains users details. See User object. "user": { }, "geo": null, "coordinates": null, Location. See Place object. "place": null, "contributors": null, "retweet_count": 40, Contains metadata of this tweets such as hashtags, "favorite_count": 30, urls, "entities": { }, "favorited": false, See Entities object. "retweeted": false, "possibly_sensitive": false, "lang": "en" 230 } Twitter Platform Objects Users https://dev.twitter.com/docs/platform-objects/users"user": { "id": 13348, "id_str": "13348", "name": "Robert Scoble", "screen_name": "Scobleizer", "location": "Half Moon Bay, California, USA", "description": "@Rackspace's Startup Liaison Officer, who grew up in Silicon Valley, brings you technology news, videos, and opinions.", "url": "http://t.co/EIFG1Db6U8", "entities": { }, Metadata extracted from users "protected": false, description. See Entities object. "followers_count": 371652, "friends_count": 40759, "listed_count": 23418, "created_at": "Mon Nov 20 23:43:44 +0000 2006", "favourites_count": 56779, "utc_offset": -28800, "time_zone": "Pacific Time (US & Canada)", "geo_enabled": true, "verified": true, "statuses_count": 65327, "lang": "en", }, 231 Twitter Platform Objects Entities https://dev.twitter.com/docs/platform-objects/entities "entities": { "hashtags": [], "symbols": [], "urls": [ { "url": "http://t.co/h6IsNNn3n7", "expanded_url": "http://j.mp/1ctMGrZ", "display_url": "j.mp/1ctMGrZ", "indices": [103,125] } ], "user_mentions": [ { "screen_name": "FastCoLabs", "name": "FastCoLabs", "id": 1114932710, "id_str": "1114932710", "indices": [3,14] }, { "screen_name": "johnpaul", "name": "John Paul Titlow", "id": 3144021, "id_str": "3144021", "indices": [129,138] } ] }Indexes of the string in the text associated to this URL232 Twitter Platform Objects Places https://dev.twitter.com/docs/platform-objects/places"place": { "attributes":{}, "bounding_box": { "coordinates": [[ [-77.119759,38.791645], [-76.909393,38.791645], [-76.909393,38.995548], [-77.119759,38.995548] ]], "type":"Polygon" }, "country":"United States", "country_code":"US", "full_name":"Washington, DC", "id":"01fbe706f872cb32", "name":"Washington", "place_type":"city", "url": "http://api.twitter.com/1/geo/id/01fbe706f872cb32.json" }233 Twitter Platform Terms & Conditions Its free!Twitter has the right to blacklist your applicationTwitter has rate limitsTwitter has the right to change the rightsits free!234 Facebook Platform API Limitations API is very openbut also rate-limited.See https://dev.twitter.com/docs/rate-limiting/1.1 for global policy. Caching, prioritize active users, fair use, streaming api, Each API function has documented rate-limits https://dev.twitter.com/docs/rate-limiting/1.1/limitsDepending on the authentication (user or app) 235 Twitter Platform Creating and Conguring an Application Twitter Platform Creating and conguring an applicationUsed during oath callback for access token 237 Twitter Platform Creating and conguring an applicationConsumer Key and Consumer Secret.Never reveal Consumer Secret !238 Twitter Platform Creating and conguring an application Permissions239 Facebook Graph API Practical Work Create a Twitter accountCreate your own Twitter application Full accessDene oauth_callback url to whatever is supposed to be your server (we wont develop our server in this training)240 TwitterAuthentication & Authorization Twitter Authentication & Authorization oAuth 1.0 - access token used in request signaturesApplication-user authentication to read/write on behalf of a Twitter user oAuth 1.0a - requests are signedApplication-only authentication to read/write on behalf of a Twitter application oAuth 2 (client credentials grant)Tokens do not expire Except when user revokes your application or Twitter suspends your application 242 Twitter Authentication & Authorization Application-user Authentication Twitter Authentication & Authorization Application-user Authentication How to sign How to sign user-level requests? Make HTTP verb uppercasePercent encode URL and every query parameters including oauth_* Sort this list alphabetically by encoded key+value and concatenate See https://dev.twitter.com/docs/auth/percent-encoding-parameterspayload = "{uppercase http verb}&{encoded url}&{encoded key}={encoded value}&{encoded key} ={encoded value}&"Compute signature: key = {consumer_secret}&{oauth_token_secret}HMAC-SHA1(key, payload) 244 Twitter Authentication & Authorization Application-user Authentication Payload to signPOST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses %2Fupdate.json&include_entities%3Dtrue%26oauth_consumer_key %3Dxvz1evFS4wEEPTGEFPHBog%26oauth_nonce %3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1318622958%26oauth_token%3D370773112GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb%26oauth_version %3D1.0%26status%3DHello%2520Ladies%2520%252B%2520Gentlemen%252C %2520a%2520signed%2520OAuth%2520request%2521This is an example of a payload to sign 245 Twitter Authentication & Authorization Application-user Authentication Signature examplePOST /1/statuses/update.json?include_entities=true HTTP/1.1 Content-Type: application/x-www-form-urlencoded Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", oauth_version="1.0" Content-Length: 76 Host: api.twitter.com!status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21After signature 246 Twitter Authentication & Authorization Application-user Authentication Authorization Header Details Authorization HTTP Header contains: oauth_consumer_key: API key, found in Twitter application dashboardoauth_nonce: random and unique for every request (anti-replay)oauth_signature: cryptographic signature of the requestoauth_signature_method: currently HMAC-SHA1oauth_timestamp: seconds since epochoauth_token: the user access token previously obtainedoauth_version: currently 1.0 247 Twitter Authentication & Authorization Application-user Authentication Obtaining access token To obtain a user access token Interact with the userGet a request tokenExchange code for access token from serverUsed to interact on behalf of a user248 Twitter Authentication & Authorization Application-user Authentication Step 1 - Get a request token POST https://api.twitter.com/oauth/request_token Content-type: application/x-www-form-urlencoded Authorization: OAuth realm="https%3A%2F%2Fapi.twitter.com", oauth_consumer_key="LGYbJs9HKa7PgovBM92uQ", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1386164583", oauth_nonce="8MWKpm", oauth_version="1.0", URL encodedMust be dened in oauth_signature="jsrz82u61LrG0QeaRNDx0emXyLY%3D" Dashboard Settings!oauth_callback=http%3A%2F%2Ffabrice.delhoste.com oauth_token: heres the request token to use for step 2 & 3oauth_token_secret: used in signature computation for step 3 WARNING: In POSTMAN oAuth 1.0, token and token secret must remain empty for now.oauth_token=yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc &oauth_token_secret=Lbx2VlADy9wZfhOyzKa4ukeSXSRUEcXoyvGAZOAwSg &oauth_callback_confirmed=true 249 Twitter Authentication & Authorization Application-user Authentication Step 2 - User interaction In browser (GET): https://api.twitter.com/oauth/authenticate? oauth_token=yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGcRequest token "authorize" might be used if you want the user to conrm every time. If not, authenticate can be used only if enabled in dashboard:oauth_verier is used to assess the user has taken part of an application approval process Redirected to: http://fabrice.delhoste.com/? oauth_token=yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc &oauth_verifier=Gmm1McgeK19qlP2zneLb2akKpgP9t2n0oc8GuWq3cZ8 250 Twitter Authentication & Authorization Application-user Authentication Step 3 - Exchange request token for an access token POST https://api.twitter.com/oauth/access_token Authorization: OAuth realm="https%3A%2F%2Fapi.twitter.com", oauth_consumer_key="LGYbJs9HKa7PgovBM92uQ", oauth_token="yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1386287051", oauth_nonce="ZWTbrv", oauth_version="1.0", oauth_signature="2Um29j9BNg94FmkKimtj3ZVMbxg%3D"! oauth_verifier: Gmm1McgeK19qlP2zneLb2akKpgP9t2n0oc8GuWq3cZ8 WARNING: now, in POSTMAN oAuth 1.0, token must be set for signature.oauth_token=18229030-6lOPdgeL0rqluEeajCVOyMLoU2i0I4d8HfvOJBguA &oauth_token_secret=F1C3DUHjMii8Z6VWPl5BqaMrEGvRcislkQzBKB446zAM7 &user_id=18229030 &screen_name=spifd 251 Twitter Authentication & Authorization Application-only Authentication Twitter Authentication & Authorization Application-user Authentication How to sign How to sign application-level requests? Use Authorization HTTP header with bearer token: Ex: Authorization: Bearer AAAAAA Bearer token253 Twitter Authentication & Authorization Application-only Authentication Obtaining access token To obtain a application-only access token (bearer token): POST to /oauth2/token with HTTP Basic authentication using consumer key as login and consumer secret as passwordUsed to interact on behalf of an application Ex: search tweets254 Twitter API - Authentication & Authorization Application-only Authentication Obtaining an Application Access Token POST https://api.twitter.com/oauth2/token Authorization: Basic eHZ6MWV2RlM0d0VFUFRHRUZQSEJvZzpMOHFxOVBaeVJn NmllS0dFS2hab2xHQzB2SldMdzhpRUo4OERSZHlPZw== Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=client_credentialsBase64( urlencode({consumerKey}) + ":" + urlencode({consumerSecret}) )Ex: base64(xvz1evFS4wEEPTGEFPHBog:L8qq9PZyRg6ieKGEKhZolGC0vJWLw8iEJ88DRdyOg) !In Postman, simply use HTTP Basic authentication lling login and password accordingly{access_token:AAAAAAAAAAAA", "token_type":"bearer"} 255 Twitter API - Authentication & Authorization Application-only Authentication Revoking an Application Access Token POST https://api.twitter.com/oauth2/invalidate_token Authorization: Basic eHZ6MWV2RlM0d0VFUFRHRUZQSEJvZzpMOHFxOVBaeVJn NmllS0dFS2hab2xHQzB2SldMdzhpRUo4OERSZHlPZw== Content-Type: application/x-www-form-urlencoded;charset=UTF-8 access_token=AAAAAAAAAAAAThe bearer token to invalidate.Warning: Postman url-encodes.{ "access_token": AAAAAAAAAAAAA } 256 Twitter API Console by APIGee Explore Twitter API easily Twitter API Console https://dev.twitter.com/console (provided by Apigee)258 Twitter Authentication & Authorization Practical Work In Postman and your browser, build a "Twitter Auth" collection of HTTP requests to: Get an Application-user access tokenGet an Application-only access tokenInvalidate an Application-only access token259 TwitterREST API Twitter REST API ? https://api.twitter.com/Current release: 1.1Get data in and out of Twitter. Read, Publish, Delete, SearchAuthentication: oAuth 1.0 !Note: in next slides, oAuth 1.0 signatures are omitted to ease readability 261 Twitter REST API Resources-oriented Every object has a unique identier All data returned as JSON (or XML)Resources : https://api.twitter.com/1.1/{...}262 Twitter REST API ResourcesTimelines Tweets Search Streaming Direct MessagesFriends & FollowersSaved SearchesUsersPlaces & GeoSuggested Users Favorites ListsOAuth HelpTrends Spam Report263 Twitter REST API Reading GETPermissions applied (access token)Response: JSONTimelines User timelineHome timelineRetweets and MentionsTweets, Retweets, Retweeters, Direct Messages, Friends & Followers, Suggested Users, Favorites, Lists, . mostly everything you dream of. 264 Twitter REST API Home Timeline https://api.twitter.com/1.1/statuses/home_timeline.json[ { "created_at": "Sun Dec 15 10:11:57 +0000 2013", "id": 412163108439072800, "id_str": "412163108439072768", "text": "Goodbye Car Lanes: Madrid Wants To Take Back Streets For Pedestrians http://t.co/8b1iwNqYRS", "source": "SocialFlow", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, "user": { "id": 2735591, "id_str": "2735591", "name": "Fast Company", "screen_name": "FastCompany", "location": "New York, NY", "description": "Official Twitter feed for the Fast Company business media brand; inspiring readers to think beyond traditional boundaries & create the future of business.", "url": "http://t.co/LVE88WcJTX", "entities": { }, 265 Twitter REST API Pagination count: maximum number of tweets to get (up to count)max_id and since_id parameters max_id: tweets lower than or equal to this idsince_id: new tweets since this id266 Twitter REST API Pagination with max_id max_id : tweets lower than or equal to this id Problem: page consistencyTypical oset-based cursor problem: 2 new tweets, my page shiftsSolution: use max_idmax_id brings consistency whatever happens in the meantime 267 Twitter REST API Pagination with since_id since_id : tweets greater than this id Best: combine since_id and max_idImagine I have already processed tweet 9 and 10I dont want them again ! consistent paging 268 Twitter REST API Example https://api.twitter.com/1.1/statuses/home_timeline.json? &count=5 Get 5 latest tweets Last tweet from result [ !{ "created_at": "Sun Dec 15 12:22:45 +0000 2013", "id": 412196025378820096, "id_str": "412196025378820096", "text": ".@Jeff Clavier #Kimaday presentationnThings startups need to know if they want to raise capital from Silicon Valley: http://t.co/xZVZW6wdP6", "source": "bitly", "truncated": false, "in_reply_to_status_id": null, } ]269 Twitter REST API Example https://api.twitter.com/1.1/statuses/home_timeline.json? &max_id=412196025378820095 &count=5 Id-1 of the last tweet [ { "created_at": "Sun Dec 15 12:13:22 +0000 2013", "id": 412193666464489472, "id_str": "412193666464489472", "text": "The old adage that "People are hired for their talents and fired for their behavior" is true. http://t.co/evY73iGtyI", "source": "SocialFlow", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, "user": { "id": 2735591, "id_str": "2735591", "name": "Fast Company", "screen_name": "FastCompany", "location": "New York, NY", 270 Twitter REST API Publishing POST with specic URL pathAccess token required with permissions.271 Twitter REST API Tweet ! POST https://api.twitter.com/1.1/statuses/update.json Content-Type: application/x-www-form-urlencoded Body: must be URL-encoded status=Hello http://www.yahoo.fr{ "created_at": "Sun Dec 15 21:41:34 +0000 2013", Automatic URL shortener "id": 412336655019028480, "id_str": "412336655019028480", "text": "Hello http://t.co/YZjB4ccR4b", "source": "Training-API", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, Returns the newly created tweet. "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, "user": { 272 Twitter REST API Deleting POST with specic URL path Not DELETE Not a query parameterAccess token required with permissions.273 Twitter REST API Delete a tweet POST https://api.twitter.com/1.1/statuses/destroy/ 412342464415301632.json{ "geo": null, "in_reply_to_user_id_str": null, "user": { "is_translator": false, "contributors_enabled": false, "profile_background_tile": false, "name": "TestSpi", "listed_count": 0, "lang": "en", "profile_sidebar_fill_color": "DDEEF6", "statuses_count": 5, 274 Twitter REST API Searching Search for tweets Fine-grained search based on location, language, Search for users Pagination with page & count parametersSearch for placesSave searchTrends 275 Twitter REST API Searching tweets GET https://api.twitter.com/1.1/search/tweets.json?q=iphone{ "statuses": [ { "metadata": { "result_type": "recent", "iso_language_code": "ru" }, "created_at": "Tue Dec 17 16:31:16 +0000 2013", "id": 412983343559745536, "id_str": "412983343559745536", "text": " iPhone 5s: ", "source": "TwitApplet", "truncated": false, 276 Twitter REST API Searching users https://api.twitter.com/1.1/users/search.json?q=lady&count=2[ {Pagination with count and page parameters (see doc)"id": 14230524, "id_str": "14230524", "name": "Lady Gaga", "screen_name": "ladygaga", "location": "real life gypsy", "description": "A pop star from the 70's trapped in 2013. r nrn'You are a legend. Make a sculpture of you. Self-invention matters. You are the artist of your own life.' -#ARTPOP", "url": null, "entities": { "description": { "urls": [] } },277 Twitter REST API Practical Work Create a "Twitter API" collection where you create HTTP requests to: Get your Twitter timelineGet 20 latest tweets from your timelineGet next 10 next tweetsGet your timeline reducing payload just to the tweetsPost a tweetDelete a tweet 278 Twitter REST API Practical Work Favorite a tweetSearch tweets on behalf of an applicationSearch tweets on behalf of a user279 TwitterStreaming API Twitter Streaming API https://dev.twitter.com/docs/streaming-apisReceives realtime push dataLong-lived HTTP request Never ending requestParse response incrementally281 Twitter Streaming API Streams Public Streams User Streams Monitoring and collecting public data.Single user stream. Usually client-side.Site Streams Multiple user stream at once. Server-side.282 Twitter Streaming API Public Streams Subscribing to public data Track keywordsTrack public accountsTrack geolocated tweets1 single connection283 Twitter Streaming API User Streams Subscribing to realtime updates on behalf of a single authenticated user User himself/herself or followingTrack keywordsTrack geolocated tweetsLimited to a few connectionsDo not use server-side That would require too many connections 284 Twitter Streaming API Site Streams Subscribing to realtime updates for a large number of usersRestricted (whitelist demand)Limited Beta285 Twitter Streaming API Practical Work Use Netbeans to create a simple Maven Java console application projectUse Twitter Hosebird Client (hbc) to connect to your user stream Add as Maven dependency (pom.xml)WARNING: this is rate-limited (error 420). Dont connect too often till youre sure about your code.https://github.com/twitter/hbcWARNING: current hbc implementation does not handle HTTP proxy - Fork and x it in ClientBuilder classUse Apache HttpClient to cross post your tweets to a Facebook test user as they are received Add as Maven dependency (pom.xml)http://hc.apache.org/httpcomponents-client-4.3.x/quickstart.htmlPut a hard-coded access tokenOpen your browser to both test user and Twitter to check Follow temporarily someone active to generate tweets 286 TwitterDeveloper Tools Twitter Support & Maintenance Twitter Support & Maintenance API Status289 Twitter Support & Maintenance API Issues290 Twitter Support & Maintenance291 Twitter Support & Maintenance Discussions292 Twitter Support & Maintenance Follow!. Twitter !!!!!!!!!!! !@twitterapi @TwitterEng (twitter engineering)293 THANKS Export and send me all of your Postman collectionsExport and send me all of your project and source les294