From Facebook Developer Wiki

For most Facebook Platform canvas page applications, the application's API key and secret key provide sufficient security for making API calls. However, if your application uses JavaScript or Flash, where the code is available or easy to decompile, you should never embed your secret key within the code.

Instead of a secret key, you can use a session secret. The session secret is a session-only secret key that allows you to make API calls on behalf of a user. The session secret is basically an application secret that can be shared with the user associated with the key. As such, it should be treated like user data as it would allow a third party to make API calls on behalf of the application and the user.

Contents 1 Desktop Applications and Session Secrets 2 Facebook Connect for iPhone and Session Secrets 3 Facebook Connect Websites and Session Secrets 4 Flash and IFrame Applications and Session Secrets 5 Limitations on Using a Session Secret

[edit] Desktop Applications and Session Secrets

Desktop applications should always use session secrets. A session secret is returned when a user successfully logs in to your desktop application. For more information, see Authorization and Authentication for Desktop Applications.

[edit] Facebook Connect for iPhone and Session Secrets

If you don't want to store your application secret in your Facebook Connect for iPhone app, you can use the getSessionProxy method to generate a session proxy URL instead. For more information, see Facebook Connect for iPhone.

[edit] Facebook Connect Websites and Session Secrets

For Facebook Connect websites, Facebook returns a session secret when a user successfully connect to your site. The secret gets returned as a secret parameter appended to your Connect URL.

[edit] Flash and IFrame Applications and Session Secrets

For IFrame applications and Flash objects rendered with fb:swf, when the user has an active session, Facebook sends a parameter called fb_sig_ss that contains the session secret, provided the SWF or the iframe resides with the domain or subdomain of your application's callback URL. This key can be used to make any API call using the following pattern:

1. Set the argument ss to true.
2. Use the fb_sig_ss key to encode your parameters instead of the secret key.

[edit] Limitations on Using a Session Secret

One limitation to using a session secret instead of your application secret is that you cannot make any API calls that require the application secret. To determine which calls require the application secret, and which you can use with a session secret, read Session Secret and API Methods.