Skip to main content
This guide explains how to create a Facebook app and configure ngrok to use Facebook OAuth for user authentication. For more detail, see the Facebook app registration documentation.

What you’ll need

  • A Facebook Developer account (convert your account to a developer account if needed).
  • Your ngrok authtoken and an endpoint with the OAuth action in its Traffic Policy.

Register an application

  1. Visit the App Dashboard, log in, and convert your account to a developer account if necessary.
  2. Select Add a New App or Create App.
  3. Choose a user-visible name and contact email.
  4. Submit the form.

Configure your application

  1. After creation, you should see a list of products to add. If you don’t, open your app from the dashboard and scroll down to Add a product.
  2. Select Set Up for Facebook Login.
  3. In the left-hand navigation, select Facebook Login and then Settings.
  4. In Valid OAuth Redirect URI, add https://idp.ngrok.com/oauth2/callback.
  5. Save the Facebook Login settings page.
  6. In the left-hand navigation, select Settings and then Advanced.
  7. Fill out additional settings for your application.
    • ngrok does not support Server IP allowlisting.
  8. Enable Require App Secret. See Facebook’s documentation for how to call the Graph API with this feature.
  9. Save settings.
  10. In the left-hand navigation, open Basic settings.
  11. At the top, note your App ID and App Secret for later.
  12. Fill out the privacy policy URL. This URL must be accessible when entered for verification.
  13. Select a category for your application.
  14. Click Save Changes.
  15. Select the In development toggle at the top of the page and confirm switching to live mode.
  16. Your application should now show as live.

Update your ngrok endpoint Traffic Policy

  1. Access the ngrok Dashboard Endpoints page and locate an existing endpoint you’d like to add this to or create a new one.
  2. In your traffic policy, add the following configuration:
You may add any scopes that are required by your application with the following caveats.
on_http_request:
  - actions:
      - type: oauth
        config:
          provider: facebook
          client_id: '{your app''s oauth client id}'
          client_secret: '{your app''s oauth client secret}'
          scopes:
            - email
Click Save to validate and update your traffic policy.

Configure access control

Optionally, configure access control to your service by only allowing specific users or domains. 
on_http_request:
  - expressions:
      - '!(actions.ngrok.oauth.identity.email in [''me@example.com''])'
    actions:
      - type: deny

Further resources

User permission revocation

Facebook allows revocation of any permission as part of the authorization flow. ngrok enforces that users initially grant all configured permissions. After endpoint authorization, users may selectively revoke permissions. If your application requires more than the default or email scope, follow Facebook’s rules for handling revoked permissions without violating terms of use.