The provisioning connector uses an access token to communicate with Workplace from Facebook. Because access tokens are portable, they can be stolen by malicious software on a person's computer or by using a "man in the middle" attack. That access token can then be used from an unauthorized third party to generate spam or steal data.

To ensure that API calls are only ever made from authorized server-side code, Workplace from Facebook recommends that you set your custom integration to require an "app secret proof".

When the feature is enabled and configured in PingFederate, the provisioning connector uses the app secret to send a short-lived app secret proof along with the access token when making API calls to Workplace from Facebook. This can have a minor effect on performance.

For official documentation on this feature, see App Secret Proof and Securing Graph API Requests in the Workplace from Facebook documentation.