From Facebook Developer Wiki

Q: I click the Login button and nothing happens.

A: First off, check your Connect URL in your Developer application settings. The domain of the Connect URL needs to exactly match the domain of your site – even blah.com and www.blah.com don't match. If that doesn't work, then try using Firebug. Go to the Net tab and see what's happening the Cross Domain communication library. Verify that the calls were made to login_status.

Q: Why do I get this error: Session key is invalid or expired?

A: The JavaScript library fetches and then caches a session key in the cookies on the client. If the user logs out of Facebook in another tab, then that session will no longer work and you'll see this error. Your code should gracefully handle this failure and refresh the page -- if the user is still logged into Facebook then it should fetch a new session from Facebook.

Q: Okay I have a session. Now what?

A: You can choose to redirect the user to a logged in page on your site, or you can modify content in place with an Ajax fetch if a lot of other content already exists on the page. Here's a decent JavaScript callback that will just refresh your page:

Q: Do we need to create a new API Key for Facebook Connect? Or can we just use our existing one?

A: For now, you should create a new API key on Facebook to test Connect. This way, you won't disrupt your production application. Once we complete the testing phase, you should be able to use your existing API key so your users can connect accounts easily.

Q: What is the current launch plan for Facebook Connect?

A: Facebook Connect is now fully launched, and immediately available for everyone to develop and create Facebook Connect sites.

Q: What new policies do you have in place for Facebook Connect?

A: We're in the midst of reviewing what modifications are needed to Facebook Platform policy. Thus, new guidelines are TBD, with one exception: applications can publish one line stories using the API only after Facebook approves your site.

Q: How does the email hash matching work?

A: You can find the technical details where connect.registerUsers is described. This is a more illustrative description.

You create a hash of email addresses for users on your site and send it to Facebook. Facebook compares your hash to a hash of all their user's email addresses and looks for matches. It does this comparison for every email address listed in each user's Contact Info on Facebook.

Initially, only Facebook knows that Jane Smith on your site is the same Jane Smith who's on Facebook. Your site will know they're the same person once she accepts the Connect request. This protects her accounts from being linked without her knowledge.

Q: How does cross-indexing the list of friends work?

A: You send Facebook a batch of hashed email addresses of your site's members (how many you want to send is up to you). Facebook compares these hashes against Jane Smith's Facebook friends. If Facebook finds any matches, then Connect requests can be sent to those users. When a friend accepts the Connect request, your Facebook tells your application about the connected friends, and you can update your site accordingly.

Q: Can a site send a Connect request itself, or is Facebook able to do so only?

A: Yes, call connect.registerUsers.

Q: Is Facebook Connect secure?

A: Facebook Connect authentication is secure for users. Users will never give their password to a remote site. The authentication gives access to the same amount of data as the existing API.

Q: How does the cross domain communication work?

A: Facebook Connect uses a few techniques to communicate across domains. Check out Cross Domain Communication for details.

Q: With which browsers does Facebook Connect work?

A: For a list of browsers that work with Facebook Connect, see JavaScript Client Library#Supported Browsers.

Q: Since all communication is done via the user's browser, how does an application make sure that a given request was not spoofed?

A: Good question. Every time data is sent from Facebook to your app (whether the basic login status, or the result of an API call), it is signed with a signature. The JavaScript captures this signature and sets cookies to store it. Your server can check those cookies against your API secret key to verify that the information actually came from Facebook. See Verifying The Signature for more details.

Q: Can I dynamically insert XFBML code into the page after the page has loaded?

A: Sure -- insert your XFBML via JavaScript, then call FB.XFBML.Host.parseDomTree. This re-parses the DOM and updates the page with any new XFBML.

Q: My browser isn't parsing any XFBML tags. Why?

A: You need to declare Facebook's XML namespace. For each of your Connect HTML pages, use the following as in your <html> tag:

Q: Can I use XFBML inside an fb:iframe tag on a Facebook application?

A: Yes you can, especially since you cannot use regular FBML within this tag.

Q: Why is Facebook Connect only available in English?

A: We are launching in English to keep it simple while we work out the kinks. We think that international sites will be some of the most successful Connect sites and look forward to internationalizing once we have the English version up and running.

Q: My site runs in HTTPS via SSL. When I use Facebook Connect, I get "mixed content" warnings all over. How do I fix that?

A: You can use the secure version of Facebook Connect. Check out Facebook Connect Via SSL.

Q: Some of my XFBML tags (like fb:serverfbml) don't always load in Internet Explorer. Why not?

A: To use XFBML, you need to define the XML namespace (xmlns attribute of the html tag). Some browsers are more forgiving of this than others.