Here's what Facebook says:
"New security restrictions for OAuth authorization codes. We will only allow authorization codes to be exchanged for access tokens once and will require that they be exchanged for an access token within 10 minutes of their creation. This is in line with the OAuth 2.0 Spec which from the start has stated that "authorization codes MUST be short lived and single use". For more information, check out our Authentication documentation.
The way around this is to use the extending your access token api:
https://developers.facebook.com/docs/howtos/login/extending-tokens/