Securing Graph API Calls

Almost every Graph API call requires an access token. Malicious developers can steal access tokens and use them to send spam from your app. Facebook has automated systems to detect this, but you can help us secure your app. This document covers some of the ways you can improve security in your app.

Facebook Crawler

A number of platform services such as Social Plugins and Open Graph require our systems to be able to reach your web pages. We recognize that there are situations where you might not want these pages on the public web, during testing or for other security reasons.

We've provided information on IP allow lists and User Agent strings for Facebook's crawlers in our Facebook Crawler guide.

Login Security

There are a large number of settings you can change to improve the security of your app. Please see our Login Security documentation for a checklist of things you can do.

It's also worth looking at our access token documentation which covers various architectures and the security trade-offs that you should consider.

Server Allow List

We also enable you to restrict some of your API calls to come from a list of servers that you have allowed to make calls. Learn more in our login security documentation.

Social Plugin Confirmation Steps

In order to protect users from unintentionally liking content around the web, our systems will occasionally require them to confirm that they intended to interact with one of our Social Plugins via a "confirm" dialog. This is expected behavior and once the system has verified your site as a good actor, the step will be removed automatically.


If you're connecting to Facebook's servers your client must:

Most modern clients can meet these requirements. However, older clients may not be new enough, especially in embedded applications like consoles.

Verify Graph API Calls with appsecret_proof

Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client. An access token can also be stolen by malicious software on a person's computer or a man in the middle attack. Then that access token can be used from an entirely different system that's not the client and not your server, generating spam or stealing data.

Calls from a server can be better secured by adding a parameter called appsecret_proof. The app secret proof is a sha256 hash of your access token, using your app secret as the key. The app secret can be found in your app dashboard in Settings > Basic.

If you're using the official PHP SDK, the appsecret_proof parameter is automatically added.

Generate the Proof

The following code example is what the call looks like in PHP:

$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret); 

Add the Proof

You add the result as an appsecret_proof parameter to each call you make:

curl \
  -F 'access_token=<access_token>' \
  -F 'appsecret_proof=<app secret proof>' \
  -F 'batch=[{"method":"GET", "relative_url":"me"},{"method":"GET", "relative_url":"me/friends?limit=50"}]' \

Require the Proof

In the Settings > Advanced section of your app dashboard in the Security section, you enable Require App Secret. When this is enabled, we will only allow API calls that include the appsecret_proof.