From Facebook Developer Wiki

Is this url guaranteed to be pinged before the user is sent to the post-authorize redirect url? -- 419214 10:28, 20 December 2008 (PST)

Yes, the first time the user authorizes your application. -- Pete (563683308 15:26, 21 December 2008 (PST))

Could somebody please describe the parameters?

As per the article, there's a link to Authorizing_Applications#Parameters_Passed_to_Your_Application where the params are all detailed. -- Pete (563683308 21:53, 12 January 2009 (PST))

The docs seem to stress that this is only called the FIRST time a user authorizes the application. Does that mean that if a user authorizes the application, then removes, and then subsequently authorizes it again that this URL will NOT be called? If that's the case it lessens the value of the callback. Typically this, coupled with the remove callback, would be used to let applications track who is using the application and prepare their database to store data. If, after removing an application and thus removing the application removes data, the user decides to authorize the application again, the application isn't able to re-create the user's profile in the application.

No, I tested, it's called every time they authorize the application after removing it. --1349426980 11:51, 10 June 2009 (PDT)

I'm having difficulty getting the signature to match when receiving the Post-Authorize Callback. At the moment I am testing both authorization and uninstalling on the same script. I am using the instructions given at Post-Remove URL - the script works and the signatures match when a user uninstalls the app, can I not use the same procedure when a user installs my app? That is sorting all the post data, appending it to a string (truncating fb_sig_), then adding the secret and hashing?