I am currently developing a server in python for a mobile application integrated with facebook. Mobile application sends me user's facebook acces token. Is it safe enough to just check if this token belongs to my facebook application (app id from token matches my app id) or should I implement some more advanced form of authorization/security?
It's my first facebook integrated app, so sorry for that basic question.
You can enable App Secret Proof in the App Settings and add the appsecret_proof parameter to every call on the Server: https://developers.facebook.com/docs/graph-api/securing-requests
After that, every call has to add that parameter, and since it is generated with the App Secret (which is only used on the server), it should be pretty safe.