What you’ll need
- A Facebook Developer account (convert your account to a developer account if needed).
- Your ngrok authtoken and an endpoint with the OAuth action in its Traffic Policy.
Create a Facebook app
- Follow Facebook’s documentation for creating an app, and when prompted to select a use case, choose Authenticate and request data from users with Facebook Login.
- Connecting a business portfolio is optional. You can skip it, since it isn’t required to authenticate users to your own service.
The Authenticate and request data from users with Facebook Login use case sets up standard Facebook Login, which lets visitors sign in with their personal Facebook account. This is the right fit for gating a service behind an ngrok endpoint.
You don’t need Facebook Login for Business or the Business app type unless your app needs ongoing access to business assets such as Pages or ad accounts.
Configure your app for ngrok
In your app dashboard, set the following:- Valid OAuth Redirect URIs: add
https://idp.ngrok.com/oauth2/callbackin your app’s Facebook Login settings. - App ID and App Secret: note these from App settings → Basic for use in your Traffic Policy below.
- Mode: switch your app from Development to Live using the toggle at the top of the dashboard. In Development mode, only app admins, developers, and testers can sign in.
ngrok does not support Facebook’s Server IP allowlisting.
Update your ngrok endpoint Traffic Policy
- Access the ngrok Dashboard Endpoints page and locate an existing endpoint you’d like to add this to or create a new one.
- In your traffic policy, add the following configuration:
You may add any scopes that are required by your application with the following caveats.
- Scopes which require a Facebook app review are unsupported.
- ngrok will enforce that users accept all permissions before completing authorization.
Configure access control
Optionally, configure access control to your service by only allowing specific users or domains.Further resources
User permission revocation
Facebook allows revocation of any permission as part of the authorization flow. ngrok enforces that users initially grant all configured permissions. After endpoint authorization, users may selectively revoke permissions. If your application requires more than thedefault or email scope, follow Facebook’s rules for handling revoked permissions without violating terms of use.