Kirill Nortox, co-founder and developer of the FBTool Pro service, talked about the Facebook API at the MAC 2021 conference. He also explained why there’s no point in being alarmed by Facebook automation.
API Access Paths
- The basic API access path is described in the documentation. You’ll require a token.
- Cookies are required too, but there’s a way to replace a token. This method unveils certain opportunities (e.g., you can bind a bank card).
- Web API user interface. These are queries that Facebook conceals from developers. No outsider will ever know behind the scenes. The request is sent to the platform and things happen out of sight.
Token
To make automation work, you have to use methods where tokens are required. What’s a token?
A token is a passkey that contains information about the account where requests come from, the application issued the token, and actions the token can perform.
The first 10-15 characters vary depending on the app that issued the token.
How to Obtain a Token?
There are two ways to obtain a token:
- Create a DIY Facebook app. This method is mainly used by services for advertisers of white offers outside CIS market.
- Use a Facebook app’s token. You can copy it from the source code of the Ads Manager.
DIY app
Pros:
- Safe.
- Official.
In this case, it doesn’t matter which IP and UserAgent send requests to the API. That’s the official working practice with Facebook.
Cons:
- Moderation.
- Limitations. For example, if you have a lot of ads running on your account, which receive a lot of user comments, you won’t be able to monitor comments often.
- Limited feature set. You won’t be able to bind cards or create a Fan Page.
- Risk of ban and app disabling. If 10-15 accounts are banned for violating the rules of the social network, the app will be banned as well.
This method is not suitable for automation. Therefore, FBTool works with tokens from the Ads Manager.
Ads Manager token
Pros:
- The accounts cannot be linked since the token is issued by the official Facebook app.
- Limitless possibilities.
Cons:
- IP issues on accounts with low trust.
- It’s difficult to automate the process of obtaining official tokens on a large scale in terms of quality since it requires logging in from a trusted IP address or using Cookies via a quality anti-detect browser so that Facebook does not interlink accounts.
Browser API
Why the token in the source code? Because it allows Facebook to offload its servers.
Let’s consider the case when the advertiser has many ad campaigns. So he/she doesn’t wait for the whole page to load, the page elements are loaded gradually. First, a table with ad campaigns in the cabinet is loaded, followed by statuses and statistics.
Gradual page loading occurs because Facebook sends a script to the advertiser’s browser that loads the page user-side and fills it with the user’s content.
Hence this method is not any kind of sure way to get caught since it’s designed to send requests to this API. This is natural when you’re working with an Ads Manager.
Automation Principle
According to the above principle, log in with your username and password or with Cookies. Facebook will generate a token with the required information. It has pre-approved the account. This allows the browser to access the API. To make automation work, copy the token and paste it.
What does Facebook monitor through the API?
- A token it has generated.
- UserAgent (browser type and version).
- The IP address managed via proxy.
Facebook can’t obtain information about the hardware. To obtain the hardware information, Facebook has to share a JavaScript script code that will be executed by the user’s browser, which then will send the information to Facebook. Since developers can see the response source code, they can see that no scripts were sent.
If you work with a token, there will be no extra sessions.
Some Reasons for Bans
According to Kirill, Facebook will never ban an account for one reason but a combination of factors. In his report, he shared some reasons for bans.
- Attempted account hacking.
There was a case with an account that had been processed for a year. It was added without the proxy. It had the IP address of the service, which did not coincide with the IP address of the user’s hardware.
The day the account was hacked, it was reset to enter a new password. It turns out that Facebook didn’t care about it for a year, but as soon as the user reset the account’s password, the account’s trust dropped.
- Wired Internet distribution via the smartphone. There was a publisher whose accounts were banned all the time. It turned out that he was distributing a wired Internet connection from his smartphone to the PC. He was changing the IP address in flight mode. The day he created a WLAN access point in the smartphone, the problem was gone.
- Suspicious Instagram activity. Kirill had a personal account in the service for two years. He added it several times using different proxies and UserAgent,no problem. The day he logged into his Instagram account via his new smartphone linked to his Facebook account, Facebook noticed a suspicious login.
- Purchased token. Purchased tokens are reviewed quite often. However, if you obtain the token yourself, there will be no such problem.
- IP/subnet giveaway (including mobile network).
API Proxies
You might want to use proxies from which you took the token, including mobile proxies.
It is widely stated that when it comes to mobile proxies with an IP address unchanged, Facebook will link all accounts and block them all. But Facebook cannot link accounts’ IP addresses by API.
The FBtool team conducted various tests such as adding several mobile proxies to the service. They had an assumption that mobile proxies would affect the accounts’ trust in a good way.
As a result, amid ISP’s issues with IP address changing, some of the accounts were turned down.
It turns out that if you change the IP address before making a request to each account instead of working from a single IP address, each IP address change may be the last.
If you don’t have an opportunity to work from the IP address from which you took the token, Kirill advises you to opt for proxies that provide a stable connection likebackendIPv4, for example.
How to Use Mobile Proxies?
- It pays if the token was taken from the same proxy.
- Don’t ever enable IP auto-change. That’s evil.
There’s a misconception that when you automatically change your IP address, you imitate a real user’s behavior who travels around the city. Only when people travel around, their IP address changes from one cell tower to another, but not within a single cell tower.
There are still few advertisers of white offers who run ads on Facebook via the mobile web.
- The fewer IP address changes, the better.
- The number of accounts per proxy is limited by the proxy’s capacity.
Mobile Proxy Analysis
The FBtool team analyzed a mobile proxy in Moscow. They changed their IP address every two minutes for a month and documented the IP address after each change.
What did analysis findings tell them? Mobile proxies are not a panacea. A single cell tower provides a limited set of IP addresses. Facebook knows that these IP addresses are coming from a single cell tower. So it can link accounts with no problem. Especially when there are 10-20 accounts within a single cell tower that start running ads in one day from a new location.