Signed Requests

For certain types of apps, we return a signed request to the app. This contains additional fields of information, even before your app requests permissions. For information on how to parse the data you receive, see Using a Signed Request.

The JSON object returned with the signed request does not have a strict format. It varies depending on the different types of apps that can access it such as Canvas, Page Apps, and so on. However you can assume that the payload contains some of the following fields and values:



an OAuth Code which can be exchanged for a valid user access token via a subsequent server-side request


A JSON string containing the mechanism used to sign the request, normally: HMAC-SHA256.


A JSON number containing the Unix timestamp when the request was signed.


A JSON string containing the User ID of the current user.


A JSON object containing the locale string, country string and the age object. See the Age Object table for actual min and max values.


A JSON string that can be used when making requests to the Graph API. This is also known as a user access token.


A JSON number containing the Unix timestamp when the oauth_token expires.


A JSON string containing the content of the app_data query string parameter which may be passed if the app is being loaded within a Page Tab.


A JSON object included when a Page tab loads your app. The object contains information about the Page that owns this tab.


The page ID.


This field exists only apps created before Graph API v2.1 launched (August 7th, 2014). For older apps, the value will always be true.


true if the loading user is an admin of the page, false if they're not.

Some fields and values, the user_id and oauth_token for example will only be passed if the user has logged into your app.

The age object

The age object, which is part of the user object will only be returned in the signed_request parameter for Canvas Apps; it will not be returned for external apps. It provides an unspecific age range that the user fits into, allowing apps to determine whether the user can be shown alcohol content for example, without identifying their age specifically. The following table shows the possible age range values returned:







max is not sent