Question posted in 
I want to call Facebook’s Graph API from the client to READ public posts on a page using a permanent Page Access Token. I’m curious if this is safe (or how to make it safe). From everything I’ve read and tried, an access token is required to perform this operation and none of Facebook’s other functionality will suit my needs (see background below).
https://developers.facebook.com/docs/javascript/reference/FB.api/ suggests that it is safe to expose Page Access Tokens to the client, but I’m suspicious they’re lying to me.
Background:
I’m working with a group that wants to display some posts from their Facebook feed on their WordPress website. They don’t want to display all posts, but rather filter them based on a hashtag. I don’t know a ton about WordPress, but I’m guessing I can’t implement custom back-end API calls on a WordPress site. Please suggest any alternative solutions that you might have!
2
Answers
Of course it is possible to do that kind of backend-calls with wordpress. And it would be the far better way, i think.
First you can use the WP-Cron to time your Facebook-Calls. You could create a Cron-Job every hour or so.
WP Developer Scheduling WP Cron Events
WordPress Codex wp_cron Function Reference
Kinsta Knowledgebase WordPress Cron Job Tutorial
If you work first time with the WP-Cron have one thing in mind: WP-Cron depends on Site-Activity to be run. So if there is no Traffic on the WordPress-Site, no Cron-Jobs are run. Here is a link how to add WP-Cron to your systems cron, so your API-Call will be called every time you intend to:
WP Developer Hooking WPCron into System Task Scheduler
The Cron-Job than can use the WordPress HTTP API to do the call. You should check the Docs on the HTTP API and the wp_remote_request function in special.
WordPress Codex HTTP API
WP Developer wp_remote_request Reference
Or you could install the Facebook SDK with your Theme/Plugin.
I’m not sure about the security impacts when using a Page Access Token on the Client, but it seems to me, that it would be a better way to do that kind of job.
Access Token are like house keys, you NEVER leave them in front of the door. Which means, you should NEVER hardcode any Access Token. No matter if it is an App, Page or User Token. The docs do not state anywhere that it is ok to expose tokens, they just state how you can use a Page Token on that page in your question – but you cannot just hardcode it on the client.
Vulnerabilities: Without extra permissions, this would be more like a privacy issue, because you can get a lot more info with a Page Token (as the Page owner) than with a simple App Token.