Validate token with expo-facebook

I’m using expo-facebook for authentication and will will use the token + user ID to exchange for a token that can be used to access my apis.

One can use the Facebook API to validate a token: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken

However, this requires that you know the app secret. I assume this isn’t shared for the Expo Facebook App :slight_smile: that expo-facebook uses.

The expo api for expo-facebook mentions a signedRequest, but this isn’t actually provided and even if it was you’d still require the secret.

So how is one supposed know if the token is a valid one?

I tried looking into expo-app-auth as a way to use Facebook that would allow me to continue to use the expo client. But there doesn’t seem to be any working examples of that.

Would love to here what you do?

I found this similar question but it has no answers (to the actual question) Signed request string of Expo.Facebook.logInWithReadPermissionsAsync

Ping to avoid closure!

Hi @mblarsen
I’m not sure if the following topic explains what you mean.

If you want to verify the fbToken server side, you server should first (A) get an access token specifying appId and appSecret, then with the access_token received you can verify (B) the fb Token got from the logInWithReadPermissionsAsync in expo-facebook

When I try the A request (my data are removed for privacy)

curl --location --request GET ‘https://graph.facebook.com/oauth/access_token?client_id=XXXXXXXXXXx&client_secret=YYYYYYYYYY&grant_type=client_credentials&redirect_uri
–header ‘Content-Type: application/json’
–data-raw ‘’
it does return the access_token, but grant_type accepts also “authorization_code”, it is still unclear how to get the authorization_code then

Hope it helps

Yeah, this is the approach that I link to in my question. Pretty straight forward¸however, the facebook is locked to the expo’s facebook app, not mine. So I don’t have the secret and therefore cannot use that solution.