I found this question, which has an answer, but facebook changed the token format since then, now it is something like:

AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQzg[more funny letters]ig8b3uss9WrhGZBYjr20rnJu263BAZDZD

In short, you cannot infer anything from it.
I also found the access token debugger, which shows the information I am looking for if you paste a token in, which is nice, but does not help me do it programmatically.

Point is, if someone gets a token for a user, he can use it to access the graph, which is what I do in my application – I want to be sure that people are forwarding the token that was issued to them by my application, and not another.

My application flow is:

1. Get access token from facebook (nothing special, in the way it is described in here , Server-side Flow. (also iPhone and android and used, but they have similar flows if I recall correctly))
   [device] <-> [facebook]
2. With that access token, the device will access my application server with the token
   [device] <-> [Jonathan’s application]
   At my server I attach the access token to the user and use that to give permissions to that user in my application. (using the facebook connect to authenticate users)

My application is secured, and the access done is also authenticated regardless of facebook, BUT! in this flow, the a weak link I identified is that I cannot authenticate for sure that the access token I got was signed for my application – I do not like it because I cache the tokens for offline use, I want to be 100% sure they are for my application, with my permissions.

So what will be the (best) way to authenticate that the token I got is related to my application (for relation to user, I use the token to access /me and see which user this token is for)

I do not need to decrypt the token (i guess its some sort of AES), I am just looking for an endpoint that will tell me the token matched my application id.

(EDIT: Using the C# SDK, if it matters.. But a graph/rest call to give that info is just as good as well 🙂 )