I’m using expo-facebook for authentication and will will use the token + user ID to exchange for a token that can be used to access my apis.
One can use the Facebook API to validate a token: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken
However, this requires that you know the app secret. I assume this isn’t shared for the Expo Facebook App that expo-facebook uses.
The expo api for expo-facebook mentions a signedRequest, but this isn’t actually provided and even if it was you’d still require the secret.
So how is one supposed know if the token is a valid one?
I tried looking into expo-app-auth as a way to use Facebook that would allow me to continue to use the expo client. But there doesn’t seem to be any working examples of that.
Would love to here what you do?
I found this similar question but it has no answers (to the actual question) Signed request string of Expo.Facebook.logInWithReadPermissionsAsync