by Jim
Jan 18, 2008 5:04 PM
I'm setting up the various versions of my facebook application and just discovered that the API key and secret strings don't have to correspond to the application!
The dev application can callback to a server that is set up with the security information from the production application, and facebook doesn't complain one bit. From facebook's standpoint these are two different apps, even if they have the same developer.
Since the developer(s) control the callback URL through the app configuration, I don't see a way to take advantage of this - or even a reason to have the keys to begin with. But why have them if they aren't enforced?