Track users who are removing your facebook application

facebookSometimes we may need to track which users of our facebook application are removing the application from their application setting. In 2008, there is a setting parameter named something like “remove application url” or other, that is now changed by facebook.

Now in the application setting in the advanced tab you’ll see a new parameter named Deauthorize Callback in the authentication area. Facebook shows a comment beside this “Facebook pings this URL when a user deauthorizes your application”

So you’ve to provide a callback url here which are pinged by facebook when someone deauthorized your application. And remember this should be server url not facebook app url. If your server base address is then code in removeapp.php so that facebook pinged this url.

Now see the code should be in removeapp.php

1. First update application setting like the following screenshot:

Set Enabled for OAuth 2.0 for Canvas (beta) and also provide deauthorize callback url correctly.

2. Now write codes in removeapp.php


//here you'll get the user id who is removing or deauthorize your application
$config['secret_key'] = "XXXXXXXX" ; //this is your application's secret key
$data         =   parse_signed_request($_REQUEST['signed_request'], $config['secret_key']);
$fbUserId   =   $data['user_id'];

/*$fbUserId this is the Facebook User UID who is removed your application. So you can use this id to update your database or do other tasks if required for your application

/* These methods are provided by facebook
function parse_signed_request($signed_request, $secret) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2);

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
    error_log('Unknown algorithm. Expected HMAC-SHA256');
    return null;

  // check sig
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;

  return $data;

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));

Facebook writes about deauthorize URL:

Deauthorize Callback

When a user of your application removes it (clicking the X on Application Settings or blocks the application) your app can be notified by specifying a Deauthorize Callback URL on the Edit Settings page of your application. During the application removal, Facebook will visit your URL with an HTTP POST request containing a single query parameter, signed_request, with a payload of the user_id of whichever user just removed your application. You will not get an oauth_token and every other token that you have will be invalidated since the user has de-authorized your application.

See the Canvas Authorization documentation for information on how to parse this parameter and extract the user_id.


When you are writing a Facebook canvas application, you often need information from Facebook such as which user is logged in to your application or whose profile the user viewing. Facebook sends you this information contained in the signed_request parameter as follows. More at here

Facebook is actually updated application authentication system to oAuth 2.0. Currently its in beta stage. In this new system, facebook pass a signed_request so that your application receive and verify the original data from facebook. But to retrieve user id from this signed_request parameter you’ve to parse them and the functions I mentioned above are taken from facebook documentation to parse this signed_request.

For more information please read the following:

mahmud ahsan

Computer programmer and hobbyist photographer from Bangladesh, lives in Malaysia. My [Github | Business | Twitter | Linkedin | Youtube | Instagram | 500px]

You may also like


  • জামান-এ-পিরি পাশা
    September 21, 2010 at 7:44 am

    nice……thanks for sharing.

  • Patricio
    October 1, 2010 at 2:43 am

    Hi, nice post!, do you know what about POST authorize callback? i can´t see anymore…

  • Ben
    October 16, 2010 at 4:04 pm

    Thanks. Couldn’t figure it out I need to enabled the OAuth 2.0 Beta to get it to work.

  • Jason
    December 15, 2010 at 6:00 pm

    First off, great tutorial site buddy.
    Built my first FB app solely based on your tutorials.

    Btw, just an observation.

    FB pings this URL only if I click on “remove or block app” on the application page and NOT when i click on remove app on the news feed page. Probably a bug or oversight on FB side.

    Keep up the good effort buddy 😉

  • kr2
    January 5, 2011 at 3:27 am

    Hello i’m trying to use deauthorize_callback i need to update a table when user remove my app, i have provided the url for deauthorize_callback and enabled the OAuth 2.0, i did a test storing the request into a file but it seem doesn’t work. =(



    The request.txt file is not created, it may be that facebook don’t call my removeApp page? please help!

    • mahmud ahsan
      mahmud ahsan
      January 6, 2011 at 9:07 pm

      Use domain or dedicated ip as callback URL.

  • Clifton
    January 26, 2011 at 5:39 pm

    What if the user is removing your app from a page and they administer several pages? How do you know which page they have removed it from? Just receiving their user id won’t help to update the record in the database if that user has added your app to several different pages. Thanks

  • ken
    December 4, 2011 at 11:32 pm

    thankyou very much for the first 3 lines of code.. just what i was looking for. works.

  • Sonal Khunt
    April 3, 2012 at 12:50 pm

    Thank you so much

    I use your code to de authorize my facebook application and it work just fine..

    I already wast my 4 hrs before i got your article..

    Thank you so much..

    Sonal Khuny

  • Srini
    June 20, 2012 at 4:02 am

    Hi It looks now it is no more working, can you please check what could be the reason ?

  • neo!
    November 15, 2012 at 5:33 pm

    Thank you! exactly what i was searching for !

Comments are closed here.