How to verify Facebook access token?


Facebook Problem Overview

There's only thing that server has to do; just check any access token's validity.

Clients send to the server user id and access token obtained by FB.getLoginStatus. As I expected, there would be any URL that checks access token's validity, like

That returns whether it's available one or not or is there any API (server side) for that?

Facebook Solutions

Solution 1 - Facebook

The officially supported method for this is:


See the check token docs for more information.

An example response is:

    "data": {
        "app_id": 138483919580948, 
        "application": "Social Cafe", 
        "expires_at": 1352419328, 
        "is_valid": true, 
        "issued_at": 1347235328, 
        "metadata": {
            "sso": "iphone-safari"
        "scopes": [
        "user_id": 1207059

Solution 2 - Facebook

You can simply request if you get an error, the token is invalid. If you get a JSON object with an id property then it is valid.

Unfortunately this will only tell you if your token is valid, not if it came from your app.

Solution 3 - Facebook

Just wanted to let you know that up until today I was first obtaining an app access token (via GET request to Facebook), and then using the received token as the app-token-or-admin-token in:


However, I just realized a better way of doing this (with the added benefit of requiring one less GET request):


As described in Facebook's documentation for Access Tokens here.

Solution 4 - Facebook

Simply request (HTTP GET):

That's it.

Solution 5 - Facebook

The app token can be found from this url.

Solution 6 - Facebook

I found this official tool from facebook developer page, this page will you following information related to access token - App ID, Type, App-Scoped,User last installed this app via, Issued, Expires, Data Access Expires, Valid, Origin, Scopes. Just need access token.

Solution 7 - Facebook

Exchange Access Token for Mobile Number and Country Code (Server Side OR Client Side)

You can get the mobile number with your access_token with this API Maybe, once you have the mobile number and the id, you can work with it to verify the user with your server & database.

xxxxxxxxxx above is the Access Token

Example Response :
   "id": "61940819992708",
   "phone": {
      "number": "+91XX82923912",
      "country_prefix": "91",
      "national_number": "XX82923912"

Exchange Auth Code for Access Token (Server Side)

If you have an Auth Code instead, you can first get the Access Token with this API -|yyyyyyyyyy|zzzzzzzzzz

xxxxxxxxxx, yyyyyyyyyy and zzzzzzzzzz above are the Auth Code, App ID and App Secret respectively.

Example Response
   "id": "619XX819992708",
   "access_token": "EMAWdcsi711meGS2qQpNk4XBTwUBIDtqYAKoZBbBZAEZCZAXyWVbqvKUyKgDZBniZBFwKVyoVGHXnquCcikBqc9ROF2qAxLRrqBYAvXknwND3dhHU0iLZCRwBNHNlyQZD",
   "token_refresh_interval_sec": XX92000
Note - This is preferred on the server-side since the API requires the APP Secret which is not meant to be shared for security reasons.

Good Luck.


All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionSo Jae KyungView Question on Stackoverflow
Solution 1 - FacebookrynopView Answer on Stackoverflow
Solution 2 - FacebookAndy MuthView Answer on Stackoverflow
Solution 3 - FacebookAndyView Answer on Stackoverflow
Solution 4 - FacebookNathan BView Answer on Stackoverflow
Solution 5 - FacebookMahendraView Answer on Stackoverflow
Solution 6 - Facebookshukla147View Answer on Stackoverflow
Solution 7 - FacebookAakashView Answer on Stackoverflow