According to its API documentation, the Facebook.init() method allows you to pass an existing access token. This would be very useful to my project, so I created a test app on Facebook and followed these instructions to get a user's oauth_token via PHP. Once that's done, my PHP script passes the token to my SWF using FlashVars, after which the SWF calls Facebook.init() with the existing token.
All of this works fine (the app launches in Facebook and the SWF plays), but it produces what I consider to be an unexpected result: The access token I pass to Facebook.init() is not the same as the access token in the resulting FacebookAuthResponse object.
Is this by design? If so, what's the point of passing an existing access token to Facebook.init()?
I'll answer my own question in case it helps someone else, and especially since the Facebook-ActionScript API is becoming outdated and fragile (calling Facebook.init() is broken even in Adobe's own tutorial).
In short, my method of verifying a user via PHP and passing the access token to the SWF means my application doesn't need to call Facebook.init(). In fact, once my SWF begins executing, it can use the access token passed to it via FlashVars like this:
Facebook.api("/me/friends?access_token=" + accessToken, getFriendsHandler);