Portal Community
Token lifecycle: The Meta OAuth flow produces a short-lived token (1-hour expiry). This node exchanges it for a long-lived token (60-day expiry). Store the long-lived token in BizFirst Credentials Manager immediately. Schedule auth/refreshToken every 50 days to prevent expiry.

When to Use

Configuration

Connection

This operation handles authentication itself — no pre-existing token is needed as an input. It produces the token.

Operation

FieldRequiredDescription
resourceRequiredMust be auth.
operationRequiredMust be exchange-token.
shortLivedTokenRequiredThe short-lived user access token from the OAuth redirect callback. Expires in 1 hour.
clientSecretOptionalYour Meta app's client secret. Not recommended for production — use clientSecretVaultKey instead.
clientSecretVaultKeyOptionalBizFirst Credentials Manager key referencing the Meta app client secret. Preferred over clientSecret for security. One of clientSecret or clientSecretVaultKey is required.
Secret storage: Never store the clientSecret directly in workflow configuration in production environments. Always use clientSecretVaultKey to reference a secret from the BizFirst Credentials Manager vault. Workflow configurations may be exported or logged — raw secrets in config are a security risk.

Sample Configuration JSON

{
  "resource": "auth",
  "operation": "exchange-token",
  "shortLivedToken": "{{ $trigger.body.shortLivedToken }}",
  "clientSecretVaultKey": "meta_app_client_secret"
}

Validation Errors

ErrorCause
shortLivedToken is requiredshortLivedToken field is missing or empty.
clientSecret or clientSecretVaultKey is requiredNeither secret field is provided.
Graph API error 190The short-lived token is expired (older than 1 hour) or invalid.

Output

Success Port

FieldTypeDescription
statusstring"success"
accessTokenstringThe long-lived access token (60-day expiry). Store immediately in BizFirst Credentials Manager.
tokenTypestringToken type — typically "bearer".
expiresInnumberSeconds until expiry from time of exchange. Typically 5183944 (approx. 60 days).
payloadstringRaw JSON response from the Graph API.

Error Port

FieldTypeDescription
statusstring"error"
errorCodestringGraph API error code.
errorMessagestringError description.
payloadstringRaw error response.

Sample Output JSON

{
  "status": "success",
  "accessToken": "EAABsbCS4sZBwBOZBqk...(long token)",
  "tokenType": "bearer",
  "expiresIn": 5183944,
  "payload": "{\"access_token\":\"EAAB...\",\"token_type\":\"bearer\",\"expires_in\":5183944}"
}

Expression Reference

ExpressionValue
{{ $output.instagram.accessToken }}Long-lived access token to store
{{ $output.instagram.expiresIn }}Seconds until expiry
{{ $output.instagram.tokenType }}Token type string

Node Policies & GuardRails

Examples

OAuth callback handler — exchange and store token

// Triggered by webhook from your OAuth redirect URI
{
  "resource": "auth",
  "operation": "exchange-token",
  "shortLivedToken": "{{ $trigger.body.shortLivedToken }}",
  "clientSecretVaultKey": "meta_app_client_secret"
}
// Next node: store accessToken in Credentials Manager under key "instagram_token_{{ $trigger.body.userId }}"

New tenant onboarding flow

{
  "resource": "auth",
  "operation": "exchange-token",
  "shortLivedToken": "{{ $input.oauthToken }}",
  "clientSecretVaultKey": "{{ $env.META_SECRET_VAULT_KEY }}"
}

Part of the tenant onboarding workflow. After exchange, the accessToken is stored against the tenant ID in the Credentials Manager, and a 50-day cron job is created to refresh it before expiry.