For certain types of apps, we return a signed request to the app. This contains additional fields of information, even before your app requests permissions. For information on how to parse the data you receive, see Using a Signed Request.
The JSON object returned with the signed request does not have a strict format. It varies depending on the different types of apps that can access it such as Canvas, Page Apps, and so on. However you can assume that the payload contains some of the following fields and values:
an OAuth Code which can be exchanged for a valid user access token via a subsequent server-side request
A JSON string containing the mechanism used to sign the request, normally:
A JSON number containing the Unix timestamp when the request was signed.
A JSON string containing the User ID of the current user.
A JSON string that can be used when making requests to the Graph API. This is also known as a user access token.
A JSON number containing the Unix timestamp when the
A JSON string containing the content of the
Some fields and values, the
oauth_token for example will only be passed if the user has logged into your app.
age object, which is part of the
user object will only be returned in the
signed_request parameter for Canvas Apps; it will not be returned for external apps. It provides an unspecific age range that the user fits into, allowing apps to determine whether the user can be shown alcohol content for example, without identifying their age specifically. The following table shows the possible age range values returned: