I'm currently making a CMS and I would like to use some Facebook functionnalities.
The problem is that I need an API Key for that. So I'm wondering that if I have an API Key can I share it with my open source cms project to anyone? And can anyone use it with my CMS?
You have two options.
Create an app for each installation of the CMS, then set app secret and ID in the CMS configuration file.
If you want all installations to use the same app securely you will need a loop back server (i.e. the CMS installation makes a call to your server, which in turn makes a call to Facebook and returns the results).
Do not share your App Secret with anyone. The App Secret is used to sign the signed_request that is passed to you after Facebook authentication. With the App Secret, a hacker can impersonate anyone to use your app because he can pass anything and sign it as if it is from Facebook.
