How does facebook match access token to the consuming application

Question

I have been trying to wrap my head around creating a RESTFul API using Oauth for both 2-legged and 3-legged authentication scenarios. I have read a lot of articles and I am at the moment just very confused. Now looking through various API implementations to gain better understanding.

While looking through a facebook api service consumption implementation; after getting an access token. I noticed the following url structure for a resource request

https://graph.facebook.com/me?access_token={access_token}

I was thinking the app_key and the secret_key of the consumer will be also be passed as a parameter.

I am imagining a scenario where 'offline_access' is part of the permission scope. what if this access token is passed by another application. How does facebook validate that it is the right consumer?

Thank you.