Facebook decoded signed_request contains extra data which isn't mentioned in the documentation

Question

I have a Facebook signed_request which is received by subscribing to the auth.login event and after the user logs in using the facebook login button

After I decode the signed_request I have the following information in it:

{'issued_at': 1318492701, 
'code': 'AQCXI5aiyYtYLFNtkYhtKwDhO02lP[truncated]', 
'user_id': '100000xxxxxxxxx', 
'algorithm': 'HMAC-SHA256'}

I cannot find in the signed_request documentation. What is this code and what's its use?

I thought it might be used to obtain an authorization code as stated in this thread but along with the signed_request I also receive an access token for the user in the response from the login event.

Answer 1

I don't know why they don't mention use of the code on the documentation page for signed requests. The code can be exchanged for an access token that is the key to making any subsequent Facebook API requests.

Relevant documentation is here: https://developers.facebook.com/docs/authentication/

With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.

In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint - along with the exact same redirect_uri used above - at https://graph.facebook.com/oauth/access_token. The app secret is available from the Developer App and should not be shared with anyone or embedded in any code that you will distribute (you should use the client-side flow for these scenarios).

Answer 2

This is the signed_request from the JavaScript SDK, right? The code is used by the SDK but isn't for the Server-side Authentication. Actually, we will update the documentation to reflect the signed_request behaviors.