How to solve the error in Facebook CAPI: “API calls from the server require an appsecret_proof argument”

When setting up the Facebook Conversions API tag (Meta CAPI), you may encounter this error:

This happens when your Business Manager enforces that all CAPI requests must include an App Secret Proof. While not common, some businesses enable this extra layer of security to better protect their API calls.

In this post, we’ll explain what the App Secret Proof is, why it matters, and how to fix or implement it in your GTM server‑side setup.

App Secret Proof is an additional security mechanism in Meta’s Graph API. It verifies that API requests made with an Access Token are also signed with the app’s App Secret.

👉 Please read more in Facebook documentation: App Secret Proof

If your Conversions API app is configured to require App Secret Proof, but your GTM server‑side tag does not send it, Facebook rejects the request and returns the error.

Example error response:

If your business does not intentionally require App Secret Proof, you can disable it in the App Settings:

1. Go to Apps in Meta for Developers.

2. Find the Conversions API Application tied to your Business Manager.

3. Navigate to App Settings → Advanced.

4. Under Security, toggle off Require App Secret.

If you don’t see the Conversions API Application, you may not have the necessary permissions. Ask a Business Manager admin or follow the access steps in How to Access Hidden Apps.

If your business intentionally requires App Secret Proof, you need to generate and add it to your Facebook Conversions API tag.

Steps:

1. Go to Apps in Meta for Developers.

2. Locate the Conversions API Application for your Business Manager.

3. In App Settings → Basic, click Show to reveal the App Secret.

4. Note the Access Token used in your Facebook CAPI tag.

5. Generate the App Secret Proof:

6. Add the generated value to the App Secret Proof field in your Facebook CAPI tag in sGTM.

✅ Done. Your events now should be sent successfully.

If you don’t see the Conversions API Application, you may not have the necessary permissions. Find them in a Business Manager admin or follow the access steps in how to access hidden apps further in this article.

By default, the Conversions API Application is created automatically when we enable Conversions API integrations for the first time, and is often hidden in Business Manager. Even admins may not see it without some tweaks.

Ways to gain access:

This article will demonstrate how to access the hidden Conversions API Application using the third option.

1. Open Business Manager settings.

2. Go to Users → System Users and select the Conversions API System User.

3. In Developer Tools on this tab (press the F12 key) and go to the Network tab.

4. Still on the System Users page, click on the Installed apps tab.

5. Back to the Developer Tools, open the global search panel (CTRL+F or CMD+F when in the Network tab), and search for Conversions API Application.

6. Find the response that has this format:

7. Extract the Application ID from the response.

8. Now, using the Business Manager ID (you can extract it from the URL parameter business_id in Business Manager), and Application ID extracted in the previous step, build the following URL:

9. Copy and paste it into the browser address bar.

10. On the page that opens, click Assign People and assign yourself the “Manage App” permissions.

Now you’ll see the app in Apps in Meta for Developers and can configure it properly.

The App Secret Proof is rarely used but sometimes enforced in Meta’s Conversions API. If you see the error, you have two paths:

Stape’s Facebook CAPI Template supports the App Secret Proof parameter, making the setup easier.