Signed Requests

For certain types of apps, we return a signed request to the app. This contains additional fields of information, even before your app requests permissions. For information on how to parse the data you receive, see Using a Signed Request.

The JSON object returned with the signed request does not have a strict format. It varies depending on the different types of apps that can access it such as Canvas, Page Apps, and so on. However you can assume that the payload contains some of the following fields and values:

Name Description


an OAuth Code which can be exchanged for a valid user access token via a subsequent server-side request


A JSON string containing the mechanism used to sign the request, normally: HMAC-SHA256.


A JSON number containing the Unix timestamp when the request was signed.


A JSON string containing the User ID of the current user.


A JSON string that can be used when making requests to the Graph API. This is also known as a user access token.


A JSON number containing the Unix timestamp when the oauth_token expires.


A JSON string containing the content of the app_data query string parameter which may be passed if the app is being loaded within a Page Tab.

Some fields and values, the user_id and oauth_token for example will only be passed if the user has logged into your app.

The age object

The age object, which is part of the user object will only be returned in the signed_request parameter for Canvas Apps; it will not be returned for external apps. It provides an unspecific age range that the user fits into, allowing apps to determine whether the user can be shown alcohol content for example, without identifying their age specifically. The following table shows the possible age range values returned:

Min Max






max is not sent