Friday, October 07, 2016

Facebook Account Kit Tutorial - Backend Verification using Node.js

Recently I have been developing secure production app using Facebook account kit for seamless authentication across mobile and web platform. Account kit is widely used in many apps such as Saavn and many other. I found that backend verification in Account kit for every request from mobile/ SPA should be handled manually by developers and no libraries available till date. so, I'm writing this post for Indie Game and mobile developers as a reference guide.

So what's Facebook Account kit all about ? 

It's seamless authentication method via OTP way to verify the user with Mobile Number and login into App without any passwords. Whereas it provides access token to verify the authenticated user in backend server without worrying about the access token generation, revocation logics. It's all about securing the access token and using it over HTTPS connection while connecting between your app and backend.

Facebook Account Kit Tutorial - Backend Verification using Node.js
Facebook Account Kit Tutorial - Backend Verification using Node.js

Prerequisites :

In this tutorial, we'll solely concentrate on Backend verification and authorising the legal request made by the apps.
  • Facebook Developer Account 
  • Good Knowledge on Node.js routeing
  • Rest API client
  • Good logical error handling skill

How Does Account Kit works ?

When the user signup using his mobile number, he would receive the OTP via SMS Carrier from facebook server. after authenticating OTP password, the account kit sdk gives you the long live Access token or Client side temporary exchange token(this depends on application).

  • With the received access token, securely post it your Mobile backend server (probably HTTPS to avoid man-in-the-middle attack)
  • with that access token you can call the Account Kit API end point to check that the access token is valid as well it provides you mobile number or E-mail
  • As response contains mobile number, you can identify the user and provide the user with the service appropriately.
  • Most important thing is you should pass the access token everytime from the client to the server in order to verify the authenticity of the user.

Getting Started :

You should have good knowledge in routeing technique since we are going to concentrate on Express.js, if you're beginner check out this link to learn more.

Concept :

Since we need to authenticate every request from the app that comes along with access token and others data we could write a middleware to authenticate the every request in the beginning before it executes the API code.

Middleware is nothing but a piece of code which is executed before each and every request entering our express routes. probably we need to write the Account kit verification code here and if it is a success we can make the request to propagate to the corresponding the function else just terminate the live request with authentication errors spitting.

Sample code : 

here is sample code to authenticate your mobile backend API end points. we use request module to send a get request to account kit server by providing the accesstoken in url param while if it responds with 200 status code, we are going to extract the mobile number else we are going to consider the request as failed on and informing to the client as error message. before trying this source code, in Facebook Developer dashboard turn off the App-secret required option and enable client access token flow.

That's it. this is base tutorial on verifying the backend for facebook account kit integrated development.
for any bugs/hugs comment below. For detailed source code and other information just comment below or mail me, chat with me in Google+ or facebook.share is care.


Algorithm Freak, Coder, Web And Android Developer, love to develop Apps for Local Business in my Freetime. For Queries,Quotes Drop me a Mail to


Post a Comment

feel free to post your comments! Don't Spam here! Registered & Protected  Z6HO-DGFO-S2CO-JRZGCopyrights Protected (C)2013-2015 i-visionblog ~ s.shivasurya.

Designed and Maintained by S.Shivasurya | S.Shivasurya