I have an iOS application that I'm logging to Facebook to ask for an access_token.
Then I pass this access token to my server and I want to get the '/me' information, using my appsecret_proof but I noticed that I can do it without appsecret_proof:
curl "https://graph.facebook.com/me?access_token=THE_ACCESS_TOKEN"
{"id":"658267751","name":"Ricardo Otero",
"first_name":"Ricardo","last_name":"Otero",
"link":"https:\/\/www.facebook.com\/oterosantos",
"hometown":{"id":"107911285910314","name":"Coimbra, Portugal"},
"location":{"id":"110432202311659","name":"Lisbon, Portugal"}...
Although I have set the option "App Secret Proof for Server API calls" to true:

So, shouldn't the requests require the app secret? I don't get it!
Every access_token depends on app and user so for different app and user combination you will have different access token so you don't need to worry. though I am no sure why are you doing it this way http://m-farhan.com/2014/03/ios-facebook-sdk-tutorial/ is the right way of doing this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With