Facebook is walking a tightrope with its API; they need to expose enough functionality so we can develop compelling services, but guard against malicious applications that could degrade the Facebook user experience, for example by flooding people with spam.
The API is a compromise between these two conflicting goals, and I’m going to cover what you can and can’t do. Overall, I’ve been able to see some patterns in the decisions they’ve made about what to expose, and how to expose it:
- Apps can only see what the logged-in user can see.
- Getting access to any information held by Facebook requires the user to go through a screen where they temporarily authorize, or permanently add, the application.
- The Facebook team are very conservative about letting applications change data held by Facebook. Most of the API is focused on reading data, there’s only a few specific places where you can alter data:
- Adding an application box to the user’s profile. This gives the app a small sandbox to draw something interesting, but the content has to be statically set by the application, and then is stored by Facebook. The only time you can update it is if the user takes an action that involves your application, there’s no way to fetch it dynamically. If there’s some scripts within the markup you place in the box, they aren’t run unless the user clicks on it in the profile.
- Publish an item on the feed. You can only publish to the current user’s feed, and the app is has time limits on how often it may call it, once every 12 hours for stories, 10 times a 48 hour period for actions.
- Send notifications or emails to friends. Again, there’s limits on how many you can send in a day, up to 10 emails and 40 emails and notifications. The user also has to go through an additional screen to authorize emails.
- Photo upload. An app must get additional permission from the user before it’s allowed to upload photos. Each application only has to do this once per user, the permission is granted permanently.
- Setting the user’s status text. This is another operation that requires an additional step of seeking permission from the user.
- There’s no way to use the API to affect anything not covered here, such as adding information to group or event pages.
There is an alternative way to perform some actions that aren’t covered by the API, by hand-crafting Facebook internal URLs, and redirecting to them. There’s actually a bit of official documentation on this here.
Funhouse Photo User Count: 1493 total, 123 active. Back to the more typical growth rate, which is strong evidence the strong growth of the last few days was caused by Columbus Day boredom.
Event Connector User Count: 40 total, 10 active. Not much happening here so far, I’m reaching out to some more event promoters to get them to give it a go.