Do Facebook APP access tokens expire? These tokens are different than the USER tokens; they are acquired like this:

https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id={0}&client_secret={1})

as described in the App Login section of the document at http://developers.facebook.com/docs/authentication/.

Are there any circumstances under which they will become invalid?

NB: This is NOT a question about USER access tokens (which are clearly documented). There was an identical question http://facebook.stackoverflow.com/questions/7322063/does-app-login-access-token-expire wrongly closed as duplicate of another question about USER access tokens.

Per the Facebook documentation:

An App Access Token is signed using your app secret and will not expire; it will be invalidated if you re-key/reset your application secret.

Creating an APP_ACCESS_TOKEN is really easy. You can use your App ID/API Key and App secret

access_token = YOUR_APP_ID|YOUR_APP_SECRET

Example: 1234587968 | bghyuifjk3438483249235903502035023504305

I do know that one condition that will cause them to become invalid is if you reset the Application Secret using the Facebook developer tool.

I do not know if using the OAuth method to produce an App Token will cause it to have an expiration. However, if you scan Facebook's PHP SDK, you may notice that a non-expiring app token is made by concatenation app_id and secret:

  /**
   * Returns the access token that should be used for logged out
   * users when no authorization code is available.
   *
   * @return string The application access token, useful for gathering
   *                public information about users and applications.
   */
  protected function getApplicationAccessToken() {
    return $this->appId.'|'.$this->apiSecret;
  }

WARNING: I would never use this in client-code as it would publish your app secret. However, in a trust server environment, it seems like the way to go.

To test this, I went to the OpenGraph tool and erased my Access Token and typed in the concatenated value from the code sample. I then accessed my app's insights to verify that it would work:

<APP_ID>/insights/application_active_users

For me, the answer is not to find a token that doesn't expire, (since I do not trust Facebook), but to catch the expiring token and reset without taking up my users time. I found this and thought you might want to check it out.

"To ensure the best experience for your users, your app needs to be prepared to catch errors for the above scenarios. The following PHP code shows you how to handle these errors and retrieve a new access token.

When you redirect the user to the auth dialog, the user is not prompted for permissions if the user has already authorized your application. Facebook will return you a valid access token without any user facing dialog. However if the user has de-authorized your application then the user will need to re-authorize your application for you to get the access_token." Resource: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/