why do I get "Invalid appsecret_proof provided in the API argument"

Since the latest change on Facebook, regarding the appsecret_proof: https://developers.facebook.com/docs/reference/api/securing-graph-api/, we are still unable to download performance reports even after enabling/disabling features from Advanced Settings in our app, or apply the code as described in their document.

We are constantly getting this error:

{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100}}

and I've open a confidential bug but no one returns to me with an answer.

I really don't know what more could we try?


The error is (based on my experience) almost certainly correct; it means you're proving an invalid appsecret_proof with your API call

Assuming you're using the standard PHP SDK without modifications, the most likely reasons for this are:

  • You configured the wrong app ID in the SDK code
  • You configured the wrong app secret in the SDK code
  • You're trying to use an access token from the wrong / another app

Another potential cause of the "Invalid appsecret_proof ..." error, is a user access token that is not associated with an app. If you are generating a user access token using the graph explorer, make sure to select an app from the dropdown on the top right corner. Otherwise, you will be generating tokens that only work within the graph API explorer.

I filed a bug with the Python SDK before I caught my mistake. GUIs are the devil.


No bug in the latest version of the facebook PHP SDK. You need to create appsecret_proof as per the docs:

$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret);

then pass it as a parameter to your api call.

See the docs here: https://developers.facebook.com/docs/graph-api/securing-requests/

Once I did this all was good and I didn't have to hack base_facebook.php


There is a bug in the Facebook SDK. After 20 hours of trying everything to debug my own code (which had no issues!), I commented this out in base_facebook.php:

/* Commented out by SJ 
    if (isset($params['access_token'])) {
      $params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
    }
*/

And all the problems went away!


This is error is because of in correct token. It may be because you are using different account for configuring web app and mobile app for Facebook configuration. Both accounts should be same.

The app ID must be the same for your mobile app and your web app.