Verify Facebook Access Token for specific App

Question

I need to verify that users on my iPhone app are actually logged in to my Facebook app. I\'m able to verify their user id by retrieving it with their Access token:

Answer 1

You can use appsecret_proof on your api calls.

From the official documentation:

Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client.

You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. This prevents bad guys from making API calls with your access tokens from their servers.

Example:

https://graph.facebook.com/app?access_token=TOKEN&appsecret_proof=

In PHP:

$endpoint = sprintf(
    'https://graph.facebook.com/app?access_token=%s&appsecret_proof=%s',
    urlencode($accessToken),
    urlencode(
        hash_hmac('sha256', $accessToken, $appSecret)
    )
);

You can now trust that the response that you got can be used for authentication.