In trying to set up the facebook marketing connector, for a Facebook app that will be available for end users to install and integrate their data via our saas product, I am not understanding the access token fields. I continually get invalid scope errors, thought the facebook debugging tool verifies that the requires scopes are present. This is after I initiate FB.login and authenticate

When setting up the Facebook Marketing connector in Airbyte for a SaaS product where end users will connect their own Facebook accounts, there are a few important points to consider regarding access tokens and scopes: 1. Access Token Fields: The Facebook Marketing connector may require you to provide access tokens in multiple fields during configuration. Some users have reported confusion about why there are two access token fields. This can be related to different authentication flows or the way Airbyte manages secrets, especially when using external secret managers. If you are unsure which field to use, ensure you are following the latest connector documentation and UI prompts. If you are using external secrets, make sure the secret naming conventions match what Airbyte expects (e.g., with or without a

_v1

suffix) [Facebook Marketing API configuration setup failure with external secrets](https://github.com/airbytehq/airbyte/issues/46328). 2. Invalid Scope Errors: Even if the Facebook Access Token Debugger shows the required scopes, you may still encounter "invalid scope" errors during the Airbyte connector setup or sync. This is a common issue and is often related to how the token is generated or how permissions are granted. Facebook's permission system is strict, and some permissions require your app to be reviewed and approved by Facebook before they can be used in production. Make sure: - The app has been reviewed and approved for all required permissions (such as

ads_read

,

ads_management

,

pages_read_engagement

, etc.). - The user who is authenticating has granted all requested permissions during the OAuth flow. - You are not using a test user or development token for production data access [How to get your Facebook App reviewed to use with Facebook Marketing connector](https://discuss.airbyte.io/t/1443), [Facebook Marketing connector has been validated successfully but syncs keep failing with an "OAuthException", "(10) Permission Denied" error](https://discuss.airbyte.io/t/1780). 3. Token Generation Flow: The way you initiate the OAuth flow matters. If you are using

FB.login

and then passing the token to Airbyte, ensure that: - The token is a long-lived user access token (not a short-lived one). - The token is generated with all the required scopes in a single authentication flow. - The token is not expired or revoked. 4. App Review and Permissions: Facebook has recently made the process for obtaining advanced permissions more complex, especially for apps that are not classified as "Tech Providers." If your app is intended for end users to connect their own data, you must ensure your app passes Facebook's review for all necessary permissions. Otherwise, even if the token appears valid, API calls may fail with permission errors [new Facebook apps unable to upgrade access to necessary permissions and features](https://github.com/airbytehq/airbyte/issues/35930). 5. Debugging Tips: - Double-check the exact permissions granted to the token using the Facebook Access Token Debugger. - Review the Airbyte logs for specific error messages about missing permissions or invalid scopes. - If you see errors like

(#10) Permission Denied

or

Invalid OAuth access token

, it usually means the token is missing required scopes or is not valid for the requested operation [source-facebook-marketing] Unable to parse access token](https://github.com/airbytehq/airbyte/issues/40609). If you continue to get invalid scope errors despite the debugger showing the correct scopes, it may be due to Facebook's backend not recognizing the app as having the necessary permissions (often due to missing app review approval), or the token being generated in a way that doesn't persist the scopes for API use. Summary: - Ensure your app has been reviewed and approved for all required permissions. - Generate a long-lived access token with all required scopes in a single flow. - Use the correct access token fields in Airbyte, and check for any secret management issues. - Review Airbyte and Facebook logs for more specific error details. If you need more specific troubleshooting, please provide the exact error message from Airbyte and details about your app's permission status.