Facebook: How to get app id from user's access token - using /app?access_token=TOKEN?

We're allowing a user to access our backend (using a REST api over https with json replies) using only a facebook access token as a credential, so we want to do two things:

  1. verify the access token and find the user's id - which is just a call to https://graph.facebook.com/me?access_token=TOKEN

  2. Make sure that this access token belongs to our facebook app. You can call https://graph.facebook.com/app?access_token=TOKEN, but this seems to be an undocumented feature (and one which is sometimes rather slow).

Can anybody tell me whether this is in fact a standard method which is likely to stay there? Or is there another way of doing what we want to do: to verify that a user's access token is valid and comes from our facebook app.

You can call me/permissions and me?fields=installed, but neither of these seem to tell me WHICH facebook app we're checking.


You can pass signed_request insted of access_token with every request. Parameter signed_request based on secret key of your application and you can simple verify it. Read documentation about signed request.

You should implement an authentication flow as described in the docs (client or server side). Basically you get a fresh access token by authenticating the user with your app and use that token for requests to your server. This way you can be sure that the token "belongs" to your app. Steps to do:

  1. Initialize a Facebook SDK of your choice with your app ID.
  2. Check whether the user has already authorized your app.
  3. If the user has already authorized your app you get his or her Facebook user id together with the token (which "belongs" to your app), if not: authenticate the user and get the token.

The docs provide you with sample code and lots of details:


The feature you mentioned is documented here (scroll down to 2. Make requests to the API):

An app access token allows you to make requests as an application, not a user. To retrieve the details of your application, perform an HTTP GET on: https://graph.facebook.com/app?access_token=APP_ACCESS_TOKEN

Hence the feature is likely to stay.

This is old, but I've recently just had the same worries. I think the most straight forward way to do this is checking the access token with debug_token.

GET graph.facebook.com/debug_token?

Reference: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken

Need Your Help

Is it possible to use a method from the parent class in the overwritten version in its child in javascript?

javascript inheritance

Is it possible to use a method from the parent class in the overwritten version in its child in javascript?

Android InflateException - Error inflating class com.google.vr.sdk.base.GvrView

java android proguard google-cardboard inflate-exception

I'm trying to get in a new project the modules "audio", "base" and "common" of the Google Cardboard SDK up and running on an x86_64 emulator, but I keep getting the following error: