Facebook DeAuthorize callback URL and its response data.

You are viewing revision #3 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version or see the changes made in this revision.

« previous (#2)next (#4) »

Facebook Deauthorize callback is used to getting notification to the app owner when a user uninstall our app from their fan page or profile.

We have an option in Facebook’s advanced section of app settings named “Deauthorize Callback“.Here we can specify a URL in ourserver.If we are setting a URL in this section facebook will send a signed request to the specified URL when a user uninstall our app from their fanpage or profile.Facebook providing 2 functions to decode the signed Request and get the encoded data using our app secret key.

Here is what i have done in my callback URL to get the singned request details,


  {    $data=$this->parse_signed_request($_REQUEST[‘signed_request’],’YOUR_FB_SECRET_KEY’);



But whats the problem here is that we cannot identify the structure of decoded array $data.because this process is a hidden call so that we cannot print this using print_r();

so what i have done is that stored it to a file by serializing after that i restored this object by unserialize from that file in my server.

here is the code for that:


The above 2 process is happening at the time of uninstall callback.after this 2 processes i executed one more code to get this from that file and print it out.


    echo “<pre>”;
    echo “</pre>”;

Then i got a result like below:




Here i got the fan page id as profile_id from this array .that is the fan page id which is uninstalled my app if it is a user profile the we will get the user facebook id in “user_id” from this array.

here is that 2 functions from facebook:

function parse_signed_request($signed_request, $secret) {
  list($encoded_sig, $payload) = explode(‘.’, $signed_request, 2); 

  // decode the data
  $sig = $this->base64_url_decode($encoded_sig);
  $data = json_decode($this->base64_url_decode($payload), true);

  if (strtoupper($data[‘algorithm’]) !== ‘HMAC-SHA256’) {
    error_log(‘Unknown algorithm. Expected HMAC-SHA256’);
    return null;

  // check sig
  $expected_sig = hash_hmac(‘sha256’, $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log(‘Bad Signed JSON signature!’);
    return null;

  return $data;

public function base64_url_decode($input)
  return base64_decode(strtr($input, ‘-_’, ‘+/’));

By using this function you can decode that signed request and get the id of the uninstalled fan page or profile id.


sirin k

Hire Yii developer