If you have a requirement to not use an official SDK then I would say that you should validate the tokens you retrieve by querying /me
.
This is the best way to make sure that you are dealing with a valid token as it is verified by Facebook when you use it for a request.
If the token you are using is not valid, you'll get a response similar to this:
{
error: {
message: "Invalid OAuth access token.",
type: "OAuthException",
code: 190
}
}
User access tokens are unique per user and per application. Each application will return a different token for the same user.
Application access tokens are unique per application and do not require any requests to Facebook in order to retrieve them - they are just a concatenation between the app_id and app_secret: app_id|app_secret
as mentioned in the documentation:
There is another method to make calls to the Graph API that doesn't require using a generated app token. You can just pass your app id and app secret as the access_token parameter when you make a call:
http://graph.facebook.com/endpoint?key=value&access_token=app_id|app_secret
The choice to use a generated access token vs. this method depends on where you hide your app secret.