Best Practices. Prompt people to log in at the right time. Only ask for the permissions you need. Ask for permissions in context and explain why. If you don't use the Facebook SDKs, regularly check whether the access token is valid. Use the button that comes with our SDKs. Avoid having people login from a WebView..