Skip to main content
This guide explains how to create a Facebook app and configure ngrok to use Facebook OAuth for user authentication. For more detail, see the Facebook app registration documentation.

What you’ll need

  • A Facebook Developer account (convert your account to a developer account if needed).
  • Your ngrok authtoken and an endpoint with the OAuth action in its Traffic Policy.

Create a Facebook app

  1. Follow Facebook’s documentation for creating an app, and when prompted to select a use case, choose Authenticate and request data from users with Facebook Login.
  2. Connecting a business portfolio is optional. You can skip it, since it isn’t required to authenticate users to your own service.
The Authenticate and request data from users with Facebook Login use case sets up standard Facebook Login, which lets visitors sign in with their personal Facebook account. This is the right fit for gating a service behind an ngrok endpoint. You don’t need Facebook Login for Business or the Business app type unless your app needs ongoing access to business assets such as Pages or ad accounts.

Configure your app for ngrok

In your app dashboard, set the following:
  • Valid OAuth Redirect URIs: add https://idp.ngrok.com/oauth2/callback in your app’s Facebook Login settings.
  • App ID and App Secret: note these from App settings → Basic for use in your Traffic Policy below.
  • Mode: switch your app from Development to Live using the toggle at the top of the dashboard. In Development mode, only app admins, developers, and testers can sign in.
ngrok does not support Facebook’s Server IP allowlisting.

Update your ngrok endpoint Traffic Policy

  1. Access the ngrok Dashboard Endpoints page and locate an existing endpoint you’d like to add this to or create a new one.
  2. In your traffic policy, add the following configuration:
You may add any scopes that are required by your application with the following caveats.
Click Save to validate and update your traffic policy.

Configure access control

Optionally, configure access control to your service by only allowing specific users or domains.

Further resources

User permission revocation

Facebook allows revocation of any permission as part of the authorization flow. ngrok enforces that users initially grant all configured permissions. After endpoint authorization, users may selectively revoke permissions. If your application requires more than the default or email scope, follow Facebook’s rules for handling revoked permissions without violating terms of use.