From Facebook Developer Wiki

When a user authorizes your application, a session gets established, and a session key gets issued. You can use this key to make request calls to the Facebook API. To make a request, the client should POST data to http://api.facebook.com/restserver.php.

There are three types of requests you can make to the API:

• Those that happen within the context of an active session.
• Those that don't always require a session, but may offer more functionality if called with an active session.
• And those that never require a session.

There are two methods that you can use to create a new session: auth.createToken and auth.getSession.

These are the parameters required for all API calls:

Parameter	Required	Description
method	✔	The method name. The method must be one of those exposed by the API documentation, or the API returns error code 3 (with message 'Unknown method').
api_key	✔	The vendor-specific API key corresponding to the site making the API call. This is the same as in the login request.
sig	✔	The signature for the method call. The sig needs to be lower case or an invalid signature error (104) will be returned. The signature can be generated by calling generate_sig in facebook.php. generate_sig takes two parameters: an array of arg=val pairs and your app secret. The signature can also be constructed using the following algorithm (after all the other arguments have been determined): args = array of args to the request, not counting sig, formatted in non-urlencoded arg=val pairs sorted_array = alphabetically_sort_array_by_keys(args); request_str = concatenate_in_order(sorted_array); signature = md5(concatenate(request_str, secret)) Below is an PHP example on how to generate the sig: <?php $secret = 'Secret Key'; // where 'Secret Key' is your application secret key $args = array( 'argument1' => $argument1, 'argument2' => $argument2); // insert the actual arguments for your request in place of these example args $request_str = ''; foreach ($args as $key => $value) { $request_str .= $key . '=' . $value; // Note that there is no separator. } $sig = $request_str . $secret; $sig = md5($sig); ?>

For desktop applications, be sure to use the secret returned by getSession when signing a call that includes a session_key. If this is used in auth.createToken, use your application's secret key as the secret. These are the parameters required for all API calls except those that happen outside of the context of a session:

Parameter	Description
session_key	The session key assigned to the user after they have logged in via the vendor page. This is the code returned to the application from the login request. This key may time out, after which the $API_EC_TIMEOUT error gets returned. The application then needs to redirect the user to the login page to obtain another key.
call_id	This is simply a number that must increase with each API call in a particular session. We strongly recommend using the current time in milli- or micro-seconds. In PHP, this can be set equal to microtime(true).

Whether the request generates an error or not, an XML stream gets sent back to the application as a response to the request.

See Also

• Verifying Signatures Sent by Facebook
• Authorization and Authentication for Desktop Applications
• Connect/Authentication and Authorization
• Authorization and Authentication for Facebook Connect Websites
• Authorization and Authentication for Facebook Connect for iPhone