Introduction
Facebook Login on Android uses a key hash to identify the signing certificate for your app. The usual job is to generate the hash for your debug keystore during development and for your release keystore before shipping, then register both values in the Facebook developer console.
What the Key Hash Represents
The key hash is derived from the certificate used to sign the app. Facebook checks that certificate identity during login, which is why the same package name can still fail if the app is signed with a different key than the one registered.
In practice, you often need at least two hashes:
If multiple developers use different local keystores, they may each need their own debug hash unless the team standardizes the debug signing configuration.
Generate the Hash from the Command Line
The common approach uses keytool and openssl. For the default debug keystore on macOS or Linux:
1keytool -exportcert \
2 -alias androiddebugkey \
3 -keystore ~/.android/debug.keystore \
4| openssl sha1 -binary \ | openssl base64 ``` The default debug keystore password is often `android`. If `keytool` prompts for the password, use that value unless your environment has been customized. For a release keystore, swap in the real keystore path and alias: ```bash keytool -exportcert \ -alias my-release-key \ -keystore /path/to/release.keystore \ | openssl sha1 -binary \ | openssl base64 ``` Copy the resulting base64 string into the Android settings for your Facebook app. ## Generate the Hash in App Code for Debugging If you want to confirm what certificate the installed app is actually using, you can print the key hash at runtime. This is especially useful when Gradle signing configuration is not doing what you expected. ```kotlin import android.content.pm.PackageManager import android.os.Bundle import android.util.Base64 import android.util.Log import androidx.appcompat.app.AppCompatActivity import java.security.MessageDigest class MainActivity : AppCompatActivity() { override fun onCreate(savedInstanceState: Bundle?) { super.onCreate(savedInstanceState) val info = packageManager.getPackageInfo( packageName, PackageManager.GET_SIGNING_CERTIFICATES ) info.signingInfo.apkContentsSigners.forEach { signature -> val digest = MessageDigest.getInstance("SHA") digest.update(signature.toByteArray()) val keyHash = Base64.encodeToString(digest.digest(), Base64.NO_WRAP) Log.d("KeyHash", keyHash) } } } ``` Use this for local verification, not as a production feature. ## Know Where Signing Can Change Android Studio, Gradle, CI pipelines, and app bundles can all affect which certificate is in play during testing and release. If Facebook login works on one build but not another, compare: - package name - signing certificate - Facebook app configuration The certificate is usually the missing piece. If you publish through a store signing flow, keep clear notes on which certificate Facebook expects for the distributed build. Confusion between upload keys and final app-signing certificates is a common source of failed login setups. ## Common Pitfalls - Registering only the debug hash and forgetting the release hash. Login then works locally but fails in production. - Using the wrong keystore alias or wrong keystore file when generating the hash. - Changing signing configuration in Gradle and assuming the old key hash still applies. - Confusing package name problems with certificate problems. Facebook checks both, so verify both. - Copying a hash with extra whitespace or a line break. The stored value must match exactly. ## Summary - A Facebook key hash identifies the certificate used to sign your Android app. - Generate one hash for debug signing and another for release signing. - The common command-line method uses `keytool` piped into `openssl`. - Runtime logging can help verify which certificate the installed app actually uses. - If Facebook login fails, check package name, signing certificate, and registered hash together.
