Skip to content

Instantly share code, notes, and snippets.

Created August 11, 2011 15:49
Show Gist options
  • Save cyakimov/1139981 to your computer and use it in GitHub Desktop.
Save cyakimov/1139981 to your computer and use it in GitHub Desktop.
Decode Facebook signed_request with NodeJS
//npm install b64url
//A signed_request for testing:
function parse_signed_request(signed_request, secret) {
encoded_data = signed_request.split('.',2);
// decode the data
sig = encoded_data[0];
json = base64url.decode(encoded_data[1]);
data = JSON.parse(json); // ERROR Occurs Here!
// check algorithm - not relevant to error
if (!data.algorithm || data.algorithm.toUpperCase() != 'HMAC-SHA256') {
console.error('Unknown algorithm. Expected HMAC-SHA256');
return null;
// check sig - not relevant to error
expected_sig = crypto.createHmac('sha256',secret).update(encoded_data[1]).digest('base64').replace(/\+/g,'-').replace(/\//g,'_').replace('=','');
if (sig !== expected_sig) {
console.error('Bad signed JSON Signature!');
return null;
return data;
Copy link

Thank you very very much!

Copy link

nilsnh commented Apr 26, 2012

I second that, thank you man! Hurray to you sir! :)

Copy link

Thanks a lot ! This isn't well documented on Facebook's dev site

Copy link

Very useful - thanks

Copy link

very very useful, many thanks

Copy link

kluplau commented Apr 12, 2014

AWESOME!! Thanks...

For those of you, like me, who encounters errors when using this in a node webserver, require these:
var base64url = require('b64url');
var crypto = require('crypto');

Copy link

Can someone explain what does the final data contains ? Does that contain the page_id that canvas is on ? Like explained here

Copy link

bgmort commented Apr 28, 2017

Here's a cleaned up version that doesn't depend on a third party module:

Copy link

thanks for this

Copy link


Copy link

Thank you :))

Copy link


Copy link

dibikhin commented Apr 7, 2021

Here is another impl of parsing Facebook signed request for Node.js -
It's well-structured, self-tested and has zero dependencies. It has been successfully tested on production a few times by these steps. Test it carefully anyway.

(The original Facebook code on PHP for Data Deletion Callback.)

I've found this gist after I'd implemented my own :)

Copy link

monogot commented Mar 23, 2022

@dibikhin Thanks.

Copy link This is what I am going with, got as close to the PHP as I could.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment