Home » Php » php – Facebook user deauthorizes the app

php – Facebook user deauthorizes the app

Posted by: admin July 12, 2020 Leave a comment


when user accepts the facebook application from my website, I am storing the user details and facebook details(access token) in database.

when he removes my application from facebook i want to remove the detail from database. how to do this?

I can give Deauthorize Callback url. if some one removes application, it will redirect to this page. but, wt should be the code here to delete the data from db? I means, when it redirect, will it post the access token details, so that i can charge fro access token and delete that row.

How to&Answers:

It’s clearly stated in the authentication document:

App Deauthorization

When a user of your app removes it in
the App Dashboard or blocks the app in
the News Feed, your app can be
notified by specifying a Deauthorize
Callback URL in the Developer App.
During app removal we will send an
HTTP POST request containing a single
parameter, signed_request, which
contains the user id (UID) of the user
that just removed your app. You will
not receive an user access token in
this request and all existing user
access tokens will be automatically

So using the signed_request function on its own docuement:

function parse_signed_request($signed_request, $secret) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
    error_log('Unknown algorithm. Expected HMAC-SHA256');
    return null;

  // check sig
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;

  return $data;

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));

$result = parse_signed_request($_REQUEST['signed_request'],"APP_SECRET");

$myFile = "deauthorize.txt";
$fh = fopen($myFile, 'w') or die("can't open file");
fwrite($fh, $result["user_id"] . "\n");


So all you need to do is get the $result["user_id"] query your DB and remove the record.

P.S: I would recommend adding a new field called active and just deactivate the user instead of removing the record all together.

Facebook will NOT redirect the user to the deauthorize URL! it’ll ping it only:

Facebook pings this URL when a user
deauthorizes your app


This code is not working, although it gets called when a user deauthorizes the app the only data passed into the function is a “1” (Tested with test user and my own FB account when app is live)

file_put_contents(“test.txt”,$fbUserId . ” “. print_r($_REQUEST[‘signed_request’]));

in test.txt file ” 1″