In an extraordinarily inconvenient API change, Facebook and Instagram will be dropping unauthenticated oEmbed support on October 24, breaking content across millions of websites. The change will force users to generate an app ID with a developer account in order to continue embedding links via oEmbed:
Changes to tokenless access for User Picture and FB/IG OEmbed endpoints: By October 24, 2020, developers must leverage a user, app, or client token when querying Graph API for user profile pictures via UID, FB OEmbeds and IG OEmbeds. Developers should provide a user or app token when querying for profile pictures via a UID or ASID, though client tokens are supported as well. Please visit our changelog for User Picture, Facebook OEmbed and Instagram OEmbed for details on how to start calling these Graph API endpoints today.
In 2008, Leah Culver, one of the collaborators on the oEmbed spec, said it was created to be “an open web API standard for fetching embed code based on a URL.” Requiring authentication in order to use oEmbed links seems like a violation of its intended purpose. For more than a decade, oEmbed has made it possible for users to easily share media across websites and social networks, without having to touch any code. It underpins a flourishing, connected landscape of web sharing that opens up new audiences for posts that might otherwise be buried in a social network’s fast-moving timeline.
In pursuit of a more secure walled garden, Facebook will now require all publishers to obtain developer app credentials in order to embed content that was previously available through simple URLs. Many users will be understandably frustrated when they find they can no longer embed Facebook and Instagram links the way they could in the past. Some will not be motivated to surmount the hurdle of setting up a Facebook app and may resort to posting screenshots or omitting the content altogether. A feature so widely used by non-technical users should not be suddenly locked away behind developer credentials.
At the time of publishing, none of the original oEmbed spec authors were available for comment regarding Facebook’s API change, but we will update the post as new information becomes available.
WordPress to Remove Facebook and Instagram oEmbed Providers
In response to Facebook’s API change, WordPress will be removing Facebook as an oEmbed provider in an upcoming release core release. This will break a lot of content – many years’ worth of posts in some instances, and will require users to install a fallback plugin. WordPress plugin developer Ayesh Karunaratne has created a new plugin called oEmbed Plus that brings back support for Facebook and Instagram content embedding. It guides users through the process of setting up Facebook developer app credentials.
For those who are using the Gutenberg plugin, the Facebook and Instagram blocks have been removed as part of tomorrow’s version 9.0 release. oEmbed links will continue to work until Facebook’s API change goes into effect.
Moving forward, publishers will need to re-examine how they include social media links within their content. Hulu recently dropped oEmbed support after being available as an oEmbed provider in WordPress for the past 11 years. As major players like Facebook and Instagram follow suit in abandoning open web API’s, the web is growing increasingly more fragmented. Facebook’s upcoming API change will leave millions of broken embeds in its wake, with little pieces of embedded history lost along the way, in instances where website owners are no longer updating their content.