diff --git a/.github/workflows/renew.yml b/.github/workflows/renew.yml
new file mode 100644
index 000000000..cd5b2dfa6
--- /dev/null
+++ b/.github/workflows/renew.yml
@@ -0,0 +1,25 @@
+name: Renew facebook token
+
+on:
+  schedule:
+    - cron: "0 0 1 * *"
+
+permissions:
+  actions: read
+
+jobs:
+  renew:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ruby/setup-ruby@v1.86.0
+        with:
+          ruby-version: '2.7'
+          bundler-cache: true
+      - name: Update the facebook token
+        env:
+          FACEBOOK_APP_ID: ${{ secrets.FACEBOOK_APP_ID }}
+          FACEBOOK_CLIENT_SECRET: ${{ secrets.FACEBOOK_CLIENT_SECRET }}
+          FACEBOOK_TOKEN: ${{ secrets.FACEBOOK_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
+        run: bundle exec ruby renew.rb
diff --git a/README.md b/README.md
index 7627524c4..3e4e9e9eb 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,8 @@ bundle exec jekyll serve
 - Setup page id in `.github/workflows/deploy.yml`
 - Setup application: <https://stackoverflow.com/questions/17197970/facebook-permanent-page-access-token>
 
+The facebook token has to be refresh according to this link: <https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/>
+
 ## VSCode configuration
 
 These plugin will help writing CSS respecting the rules: <https://marketplace.visualstudio.com/items?itemName=stylelint.vscode-stylelint>
diff --git a/renew.rb b/renew.rb
new file mode 100644
index 000000000..a578d1277
--- /dev/null
+++ b/renew.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'octokit'
+require 'rbnacl'
+require 'base64'
+
+require './env_utils'
+
+access_token = get_env_or_exit('FACEBOOK_TOKEN')
+app_id = get_env_or_exit('FACEBOOK_APP_ID')
+app_secret = get_env_or_exit('FACEBOOK_CLIENT_SECRET')
+
+uri = URI('https://graph.facebook.com/oauth/access_token')
+uri.query = URI.encode_www_form({
+                                  grant_type: 'fb_exchange_token',
+                                  client_id: app_id,
+                                  client_secret: app_secret,
+                                  fb_exchange_token: access_token
+                                })
+
+res = Net::HTTP.get_response(uri)
+if res.is_a?(Net::HTTPSuccess)
+  new_token = JSON.parse(res.body)['access_token']
+else
+  puts "Bad response: #{res}"
+  exit(-1)
+end
+
+github_token = get_env_or_exit('GITHUB_TOKEN')
+
+# Provide authentication credentials
+client = Octokit::Client.new(access_token: github_token)
+
+def create_box(public_key)
+  b64_key = RbNaCl::PublicKey.new(Base64.decode64(public_key[:key]))
+  {
+    key_id: public_key[:key_id],
+    box: RbNaCl::Boxes::Sealed.from_public_key(b64_key)
+  }
+end
+
+repo = client.repo 'atelierdesmedias/atelierdesmedias.github.io'
+
+secret = { name: 'FACEBOOK_TOKEN', value: new_token }
+public_key = client.get_public_key(repo.id)
+puts 'public key:', public_key, public_key[:key], public_key[:key_id]
+box = create_box(public_key)
+puts 'box:', box[:key_id], box[:box]
+puts 'after'
+encrypted = box[:box].encrypt(secret[:value])
+encrypted_value = Base64.strict_encode64(encrypted)
+puts 'encrypted_value:', encrypted_value
+puts client.create_or_update_secret(
+  repo.id, secret[:name],
+  key_id: box[:key_id], encrypted_value: encrypted_value
+)
+puts client.last_response.status