Laravel Facebook Data Deletion
When a user revokes a Facebook app's permissions, Meta sends a signed HTTP callback to your server requesting deletion of that user's data. This package intercepts that callback, verifies its authenticity via HMAC-SHA256, stores a deletion record, and dispatches an asynchronous job that executes your custom deletion logic. It also exposes a status endpoint that Meta (or your own UI) can poll to confirm the deletion was processed.
March 30, 2026
Visit ResourceWhat it does
When a user revokes a Facebook app's permissions, Meta sends a signed HTTP callback to your server requesting deletion of that user's data. This package intercepts that callback, verifies its authenticity via HMAC-SHA256, stores a deletion record, and dispatches an asynchronous job that executes your custom deletion logic. It also exposes a status endpoint that Meta (or your own UI) can poll to confirm the deletion was processed.
The package is intentionally generic — it doesn't assume anything about your user model or how Facebook IDs are stored, so it fits any application structure.
Key Features
- HMAC-SHA256 signature validation on every incoming Meta callback
- Automatic CSRF exclusion for the webhook route
- Deletion record storage out of the box (via a published migration)
- Async job dispatch with configurable queue connection and queue name
- Confirmation code generation returned to Meta upon receipt
- Status endpoint with both HTML and JSON response support
- Two clean contracts to implement: a resolver and a deletion handler
- Publishable config and views for full customisation
Use Cases
- GDPR / Meta Platform compliance — any app using Facebook Login must provide a data deletion callback URL; this package handles the entire flow.
- Anonymisation workflows — implement the deletion handler to anonymise rather than hard-delete records, keeping referential integrity intact.
- Audit trails — the stored deletion records give you a log of every request received and its processing status.
- Multi-model apps — the resolver contract lets you map Meta App-Scoped IDs to any model, not just users.
Quick Start
Install:
1composer require lartisan/laravel-facebook-data-deletion2php artisan vendor:publish --tag=facebook-data-deletion-config3php artisan migrateConfigure .env:
1FACEBOOK_APP_SECRET=your_meta_app_secret2FACEBOOK_DATA_DELETION_QUEUE_CONNECTION=redis3FACEBOOK_DATA_DELETION_QUEUE=facebook-data-deletionRegister your two custom classes in config/facebook-data-deletion.php:
1'resolver' => App\Facebook\FacebookDeletionSubjectResolver::class,2'deletion_handler' => App\Facebook\DeleteFacebookSubjectData::class,The resolver maps a Meta App-Scoped ID to your application model; the deletion handler defines what "deleting" actually means (hard delete, anonymise, etc.).
Routes registered automatically:
1POST /api/facebook/data-deletion ← Meta callback2GET /api/facebook/data-deletion/{code} ← Status endpointOptionally publish the views to customise the HTML status page:
1php artisan vendor:publish --tag=facebook-data-deletion-viewsConclusion
lartisan/laravel-facebook-data-deletion removes the boilerplate of Meta compliance from your codebase. It requires PHP 8.2+ and Laravel 11+, and is MIT-licensed.