Ordered an account and the delivery is a cryptic EAAB string or a cookies file? If you don't know what to do with it, the profile is easy to burn on first login. Let's break down Facebook account formats: login:pass, cookies, and token, how they differ, and which delivery format to choose for arbitrage.
What delivery formats exist
Account shops deliver access in several forms. The format determines how you log in and how soft it looks to Facebook.
- login:pass — login and password (often plus email and a 2FA key). The classic login format.
- cookies — a session file: log in without typing a password, as if already signed in.
- token / EAAB — an access token starting with EAAB; used for API and automation.
login:pass format
The most straightforward option. You get a login, a password, usually email access, and a 2FA secret. You log in through an antidetect like Dolphin{anty} or AdsPower with a proxy matching the account geo.
The upside is full control over the profile: you can change the password and attach your own email. The downside is that a cold login can sometimes trigger a check, so warm-up and a stable environment are needed.
cookies format
Cookies are a saved session. You import the cookies into an antidetect browser and land in the account with no password. To Facebook this looks like a continuation of an old session, which is softer.
- Open a profile in the antidetect with the right proxy.
- Import the cookies (often JSON or Netscape format).
- Refresh the page — you are already in.
Cookies have a lifespan and can expire, so it's best to log in right after purchase.
token / EAAB format
A token is an access key to the Facebook API. The EAAB string lets you work with the account programmatically: pull data, manage ads via scripts. It suits automation and software.
A token lives for a limited time and is tied to a session. For manual ad spend it's overkill — login:pass or cookies are more convenient there.
What to choose for arbitrage
| Format | Convenience | Best for |
|---|---|---|
| login:pass | High | Manual spend, full control |
| cookies | High | Soft login, fast start |
| token / EAAB | Medium | API, automation, software |
For most media buyers the login:pass + cookies combo is optimal: cookies give a soft login, while login/password and 2FA are a backup if the session expires.
User-Agent, email, and 2FA included
The delivery format isn't just access but the accompanying data too. How complete it is determines how softly the account survives the first login and how manageable it stays.
- User-Agent — the device/browser string; plug it into the antidetect so the fingerprint matches the account's history.
- Email — access to the linked inbox is needed for recovery and confirmations.
- 2FA key — the two-factor secret; it generates login codes and protects from takeover.
The full set of login:pass + email + 2FA + cookies + User-Agent is the most manageable account, easier to keep in rotation for a long time.
Frequently asked questions about delivery formats
Which is better for a beginner — login:pass or cookies?
Cookies give the softest login with no password, but require importing into the antidetect. login:pass is clearer and gives full control. Ideally, have both.
Why did cookies stop working?
Cookies have a lifespan and are tied to a session. If expired — log in via login:pass and pull fresh cookies if needed.
Do I need a token for manual spend?
No. Token/EAAB is for API and software. For manual work, login:pass and cookies are enough.
What format do cookies arrive in?
Most often JSON or Netscape. Most antidetects, including Dolphin{anty} and AdsPower, import both.
Conclusion
Facebook account delivery formats — login:pass, cookies, and token/EAAB — solve different tasks: manual spend, fast login, and API automation. For arbitrage take login:pass with cookies, log in via antidetect and proxy, and don't delay the first login.
Choosing supplies? See Facebook accounts (logs / cookies) and FB autoreg accounts. Next, read how to choose an account for arbitrage and how to check an account before buying. Pay with USDT (TRC20/BEP20), CryptoBot, SBP, instant 24/7 delivery, 24-hour replacement.