Invalid appsecret_proof provided in the API argument

Question

Well i have been trying to make appsecret_proof work.

I have enabled use app_secret in the app settings.

The code for generating app secret in PHP sdk

$appsecret_proof= hash_hmac('sha256', APP_ID. "|" . APP_SECRET, APP_SECRET);

And i am passing it along with the post parameter in a batch request

$params['batch'] = json_encode($entries);
$params['appsecret_proof'] = $appsecret_proof;
$response = $facebook->api('/', "POST", $params);

And i have cross checked the app id and app secret.

With these settings i get the following error.

Invalid appsecret_proof provided in the API argument

Any help will be appreciated.

P.S Disabling it in app settings makes it work.

Answer 1

If you use a user access token in one or more sub-requests, those requests will need their own appsecret_proof. Otherwise, Facebook will compare the user's access token to the app token's proof and the check will fail.

example:

$proof1 = hash_hmac('sha256', [USER TOKEN 1], APP_SECRET);
$proof2 = hash_hmac('sha256', [USER TOKEN 2], APP_SECRET);


$requests = array(
   array(
       'relative_url' => "[USER ID 1]/permissions",
       'method' => "GET",
       'body' => "access_token=[USER TOKEN 1]&appsecret_proof=" . $proof1
   ),
   array(
       'relative_url' => "[USER ID 2]/permissions",
       'method' => "GET",
       'body' => "access_token=[USER TOKEN 2]&appsecret_proof=" . $proof2
   ),
);


$appToken = APP_ID. "|" . APP_SECRET;
$appsecret_proof= hash_hmac('sha256', appToken, APP_SECRET);
$params['batch'] = json_encode($requests);
$params['appsecret_proof'] = $appsecret_proof;
$response = $facebook->api('/', "POST", $params);

Answer 2

Acccording to the facebook docs, the correct syntax is:

$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret);

See here:

https://developers.facebook.com/docs/graph-api/securing-requests/

Fixed the problem for me...