I have successfully installed the Facebook registration plugin on my website, but I’m left

Question

Asked: June 9, 20262026-06-09T05:49:21+00:00 2026-06-09T05:49:21+00:00

I have successfully installed the Facebook registration plugin on my website, but I’m left with some unanswered question.

After a user is authenticated through Facebook, should I just be storing the UID from Facebook in my database to correlate records in my application with the Facebook user?
If I understand correctly, Facebook should send back an “Access Token” what exactly should be done with this? Should each required page in an application be checking this access token some how to verify the user is authenticated instead of calling something like FB.getSession each time you want to validate the user is still logged in?
If a user registers through the Facebook registration without a Facebook Account, and returns is it completely up to me to handle the authentication and storage of the username and password or dose Facebook still interject here?
Where and What is the App Secret used for?
Facebook is said to return a “Signed Request”. Is this separate from the data that is returned? Dose each request back from Facebook need to have the Signed request verified?

I have more questions coming, but I’ll start with these for now.

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-06-09T05:49:23+00:00

Yes.
The oauth_token can be used to make a request to the API once they give permission to your app.
I haven’t used this tool to save passwords but the registration flow can be found here
The signed_request parameter is signed using your application secret which is only known by you and Facebook to make sure that the data you’re receiving is the actual data sent by Facebook.
The data Facebook returns is the signed_request and it is an encoded JSON string. You can’t decode it without your app secret. You verify return data by decoding the signed_request.

The Archive Base Latest Questions