Data Deletion Request Callback

Facebook app settings provides a way for people to request your app to delete the data it has from Facebook about them.

This generates a POST with a signed request that is sent to your app. The signed request contains an app-scoped ID identifying the user making the request. For an example of how to parse the request and the structure of the parsed request, see the following section.

Implementing the Callback

To parse and respond to the request, you should implement a “data deletion request” callback. Your callback must use the secure HTTPS protocol and must be listed in the Data Deletion Request URL field of your app’s Facebook Login > Settings page in the app dashboard.

If you implement a Data Deletion Request callback, it must do the following:

  • Initiate the deletion of any data your app has from Facebook about the user.
  • Return a JSON response that contains a URL where the user can check the status of their deletion request and an alphanumeric confirmation code. The JSON response has the following form: { url: ‘<url>’, confirmation_code: ‘<code>’ }

Failure to comply with these requirements may result in your callback being removed or your app being disabled.

You can implement this callback in any language, but the following code is an example of the callback in PHP.

<?php

header(‘Content-Type: application/json’);

$signed_request = $_POST[‘signed_request’];

$data = parse_signed_request($signed_request);

$user_id = $data[‘user_id’];

// Start data deletion

$status_url = ‘https://www.<your_website>.com/deletion?id=abc123’; // URL to track the deletion

$confirmation_code = ‘abc123’; // unique code for the deletion request

$data = array(

‘url’ => $status_url,

‘confirmation_code’ => $confirmation_code

);

echo json_encode($data);

function parse_signed_request($signed_request) {

list($encoded_sig, $payload) = explode(‘.’, $signed_request, 2);

$secret = “appsecret”; // Use your app secret here

// decode the data

$sig = base64_url_decode($encoded_sig);

$data = json_decode(base64_url_decode($payload), true);

// confirm the signature

$expected_sig = hash_hmac(‘sha256’, $payload, $secret, $raw = true);

if ($sig !== $expected_sig) {

error_log(‘Bad Signed JSON signature!’);

return null;

}

return $data;

}

function base64_url_decode($input) {

return base64_decode(strtr($input, ‘-_’, ‘+/’));

}

?>

This produces a JSON object that looks like this, in which user_id is the relevant field for your callback.

{

“oauth_token”: “{user-access-token}”,

“algorithm”: “HMAC-SHA256”,

“expires”: 1291840400,

“issued_at”: 1291836800,

“user_id”: “218471”

}

Testing Your Callback

To test your callback:

  • Log in to your app with Facebook Login.
  • Go to app settings: https://www.facebook.com/settings?tab=applications
  • Remove your app.
  • In the Removed section, click on your app.
  • Request data deletion from the app card.

Get industry recognized certification – Contact us

Menu