This is regarding Facebook apps. After the user clicks on Allow button on the authorization page (OAuth page) then the user is redirected to the app with a code param in the query string. According to FB doc we should use the value of this param to get the access code needed for FB API calls.
I use FB’s PHP-SDK. After the user is redirected from OAuth page then I call $facebook->getUserAccessToke() to get the access token. This code seems to fetch the access token directly from the signed_rquest (present in the cookie). It never needs to use code param. I don’t understand why code param is sent then?
depends on your app settings, currently its working without the code, but you will have to migrate to the now standard oauth2.0 process.
see https://github.com/facebook/php-sdk/blob/master/examples/example.php for how to login users.
in short words, you dont have to take care of the token or code parameter, the SDK handles it itself. (via $_REQUEST array)