After getting the access token, simply use it with your calls. For eg:
$res = json_decode(file_get_contents(https://graph.facebook.com/me/friends?access_token=ACCESS_TOKEN));
EDIT
The token: APP_ID|APP_SECRET
is the app access token, not the user access token; so it has nothing to do with the user and it wont understand /me
. And its power is just.
The other token that is received by the login flow (as mentioned in the link you've mentioned in the question) is the user access token, and it understands /me
. It has the power to do anything that user has granted the app to.