Facebook is an OAuth 2.0 preset shipped from v0.5 of authn.sh. Facebook ships custom userinfo semantics — the /me endpoint requires an explicit fields query parameter to surface email + name. authn.sh’s preset handles that for you.
Default scopes
Section titled “Default scopes”| Scope | Returns |
|---|---|
public_profile | Facebook user id, name, first_name, last_name, picture. |
email | Primary email address (verified). |
Register an application on Meta
Section titled “Register an application on Meta”- Open Meta for Developers → My Apps and click Create App.
- Pick Consumer as the use case (or Business if you need advanced permissions). Name the app and confirm.
- Inside the app, under Add products to your app, add Facebook Login.
- In Facebook Login → Settings, paste the
redirect_urifrom your authn.shOauthProviderrow —https://<env_slug>.authn.sh/v1/oauth-callback/facebook— into Valid OAuth Redirect URIs. Save. - In App settings → Basic, copy App ID (this is the
client_id) and App Secret (this is theclient_secret— click Show, you may need to re-enter your Facebook password).
Configure the provider in authn.sh
Section titled “Configure the provider in authn.sh”POST /v1/oauth-providersAuthorization: Bearer sk_live_…Content-Type: application/json
{ "provider_kind": "preset", "provider_key": "facebook", "name": "Facebook", "client_id": "1234567890123456", "client_secret": "your-facebook-app-secret-here"}attribute_mapping
Section titled “attribute_mapping”Preset defaults — no override needed for the common case:
| authn.sh field | Facebook claim |
|---|---|
email_address | email |
first_name | first_name |
last_name | last_name |
provider_user_id | id |
profile_image_url | picture.data.url |
Note picture.data.url — Facebook returns the avatar as a nested object, not a top-level URL. authn.sh’s attribute_mapping understands dot-paths so the default works out of the box.
- Facebook only surfaces
emailif the user granted theemailpermission and their Facebook account has a verified email. If the user has no verified email,email_addresslands asnulland the FAPI rejects the sign-up withoauth_no_email_returned— you’ll want a fallback flow (email-code / password) for those users, or setallow_sign_up: falseon the Facebook row so they fall back to an existing-account sign-in. - Facebook’s app review process gates
public_profilepast the development phase. While your app is in development mode, only Meta accounts you’ve added as developers / testers can sign in. Submit for review when you’re ready to ship. - The
picture.data.urlFacebook returns is a short-lived URL pointing at their CDN. authn.sh re-fetches and re-hosts the avatar on first sign-in so the link doesn’t decay.