Facebook Login with FedCM

Updated:Jun 1, 2026

Facebook Login supports the Federated Credential Management (FedCM) API ⁠ on the web. Instead of opening a popup or redirecting to facebook.com, the browser itself shows a native account picker that users already trust. FedCM works without third-party cookies, and the Facebook JavaScript SDK falls back to the standard OAuth flow automatically on browsers that do not support it.

For new integrations, FedCM with auto-prompting is the recommended default. Returning users see a one-tap sign-in prompt the next time they visit your site, and no code changes are required to handle browsers without FedCM support.

What is FedCM?

FedCM is a W3C web standard ⁠ that moves federated login into a browser-native experience. The browser handles the credential exchange directly — no third-party JavaScript opens a popup, and no page navigation happens. The result is a faster, more reliable sign-in flow that keeps working as browsers phase out third-party cookies.

When you enable FedCM in the Facebook JavaScript SDK:

The browser shows a native credential picker instead of a popup window.

Returning users can sign in with one tap, or automatically on page load when auto-prompting is enabled.

The SDK falls back to the standard OAuth popup on browsers without FedCM support, or when the user is not logged into Facebook.

Your existing FB.login() calls, permission scopes, callback handling, and access tokens work unchanged.

Requirements

Requirement	Notes
JavaScript SDK	The Facebook JavaScript SDK loaded on your page
Transport	HTTPS on your domain, or `localhost` with a secure context for development
Cross-origin iframes	Must include `allow="identity-credentials-get"` in the permissions policy
User gesture (active mode)	`FB.login()` must be triggered by a user gesture such as a button click

Quickstart for new integrations

Add the SDK and initialize it with FedCM enabled and auto-prompting on. Auto-prompting gives returning users a one-tap sign-in on page load, with no button click required.

  <script async defer crossorigin="anonymous"
  src="https://connect.facebook.net/en_US/sdk.js"></script>

<script>
  window.fbAsyncInit = function() {
    FB.init({
      appId: 'YOUR_APP_ID',
      fedCM: { autoPrompt: true },
      cookie: true,
      xfbml: true,
      version: 'v22.0'
    });
  };
</script>

Trigger an interactive sign-in from a button click as you would with the standard SDK:

 FB.login(function(response) {
  if (response.status === 'connected') {
    console.log('Logged in:', response.authResponse);
    // response.authResponse contains:
    //   accessToken
    //   userID
    //   expiresIn
  }
}, { scope: 'public_profile,email' });

The SDK uses FedCM on supported browsers and the standard popup flow everywhere else. You do not need to detect support yourself.

Auto-prompt behavior

When autoPrompt: true is set, the browser displays a small, non-intrusive prompt with the user’s Facebook account on page load. The SDK fires the standard auth.login and auth.statusChange events when the user approves — the same events you would receive from FB.login() . Review any existing event listeners to confirm they handle being triggered on page load without an explicit FB.login() call.

If the user dismisses the prompt, the browser applies a spec-defined cooldown before showing it again. The cooldown is measured in days, not sessions, so a dismissal on Monday may suppress the prompt for the rest of the week, even across new browser sessions. See the FedCM specification ⁠ for details.

Enable on an existing integration

If you already have a working Facebook Login integration, add the fedCM option to your existing FB.init() call. No other changes are required:

 FB.init({
    appId: 'YOUR_APP_ID',
+   fedCM: { autoPrompt: true },
    cookie: true,
    xfbml: true,
    version: 'v22.0'
  });

To roll back, remove the fedCM option. The SDK fully restores the previous popup behavior with no side effects.

Before deploying to production, review these items — especially if you use auth event listeners or embed Facebook Login in iframes:

Audit all auth.statusChange listeners for compatibility with auto-prompting.

Test your error handling for the {status: 'unknown'} dismissal case described in Fallback and dismissal behavior .

Confirm token handling works with FedCM-issued tokens. The authResponse format is identical to OAuth, including accessToken , userID , and expiresIn .

Test the fallback path on Safari, Firefox, and older Chrome versions.

Confirm behavior in any iframe or embedded contexts. FedCM requires allow="identity-credentials-get" on cross-origin iframes.

Configuration options

Pass an object to fedCM to control auto-prompting and the text shown in the browser picker.

`autoPrompt`

Controls whether the browser shows the credential picker on page load for returning users.

 FB.init({
  appId: 'YOUR_APP_ID',
  fedCM: { autoPrompt: true },
  version: 'v22.0'
});

Value	Behavior
`true` (recommended for new integrations)	Browser auto-prompts returning users on page load.
`false`	FedCM is enabled but the picker only appears when the user triggers `FB.login()` .

If you set fedCM: true as a shorthand, the SDK enables FedCM in active mode only — equivalent to { autoPrompt: false } .

`context`

Customizes the text shown in the browser’s credential picker. The values match the FedCM spec’s IdentityCredentialRequestOptionsContext .

Value	Picker text
`'signin'` (default)	“Sign in with Facebook”
`'signup'`	“Sign up with Facebook”
`'use'`	“Use Facebook”

 FB.init({
  appId: 'YOUR_APP_ID',
  fedCM: { context: 'signup' },
  version: 'v22.0'
});

Combine options

 FB.init({
  appId: 'YOUR_APP_ID',
  fedCM: {
    autoPrompt: true,
    context: 'signin'
  },
  version: 'v22.0'
});

Fallback and dismissal behavior

The SDK handles unsupported browsers and edge cases for you:

Condition	SDK behavior
Browser does not support FedCM (Safari, older Chrome, etc.)	Falls back to the standard OAuth popup automatically.
User is not logged into Facebook in this browser	Falls back to the standard OAuth popup so the user can sign in.
Network error or other FedCM failure	Falls back to the standard OAuth popup silently.
User dismisses the FedCM prompt	Callback receives `{status: 'unknown'}` . The SDK does notfall back to the popup — re-prompting on dismissal is intentionally avoided.

Handle the dismissal case in your callback if you want to show your own retry UI:

 FB.login(function(response) {
  if (response.status === 'connected') {
    // Signed in
  } else if (response.status === 'unknown') {
    // User dismissed the FedCM prompt — show your own retry UI if desired
  }
}, { scope: 'public_profile,email' });

Multi-IdP integration

If your site offers Facebook and another federated provider (such as Google) in the same picker, use the FedCM multi-IdP API. The SDK provides two helpers:

 // 1. Get Facebook's provider config
const fbProvider = FB.FedCM.getProviderConfig({
  scope: 'public_profile,email'
});

// 2. Pass it alongside other providers in a single navigator.credentials.get() call
const credential = await navigator.credentials.get({
  identity: {
    providers: [fbProvider, googleProvider]
  }
});

// 3. Route the result back through the SDK
const authResponse = FB.FedCM.processCredential(credential);

Multi-IdP requires all participating providers to be listed in the same navigator.credentials.get() call. Chrome’s multi-IdP support is still maturing — see the Chrome FedCM documentation ⁠ for current constraints.

You can also check FedCM availability programmatically with FB.FedCM.isSupported() , and access the provider config URL via FB.FedCM.CONFIG_URL .

Browser support

Browser	Support
Chrome 131+	Full support — active mode, auto-prompting, `context` parameter
Edge 131+	Full support (Chromium-based)
Chrome 108–130	Basic FedCM only — active mode, no `context` parameter, no auto-prompting
Firefox	Behind a flag (in development)
Safari	Not yet supported

For current coverage percentages, see caniuse.com/web-fedcm ⁠ . For users on unsupported browsers, the SDK falls back to the standard OAuth popup flow automatically.

Troubleshooting

FedCM prompt does not appear

Verify your page is served over HTTPS.

Confirm the user is logged into Facebook in the same browser.

If your login flow runs inside an iframe, set allow="identity-credentials-get" on the iframe element.

For active mode, ensure FB.login() is called inside a user gesture handler such as a button click.

The browser may be in a cooldown period after a previous dismissal. Wait or clear site data.

Open Chrome DevTools → Application→ Federated Credential Managementto inspect FedCM state.

Auto-prompt does not appear

The user must have previously signed in to your site with Facebook.

Browsers throttle auto-prompts that have been shown and dismissed recently.

Only one IdP can have an active FedCM call per page at a time.

Verify you are on Chrome 131 or later. Auto-prompting is not available on Chrome 108–130.

Verify FedCM is in use

Open DevTools → Networkand look for a request to facebook.com/fed_cm/config.json .

If you see a popup window open instead, FedCM is not active — check browser version and HTTPS.

How it works

Facebook’s FedCM implementation follows the W3C spec. This section is informational — the SDK handles every step for you.

Discovery

The browser fetches Facebook’s well-known configuration:

 GET https://www.facebook.com/.well-known/web-identity

  {
  "provider_urls": ["https://www.facebook.com/fed_cm/config.json"]
}

It then fetches the provider configuration:

 GET https://www.facebook.com/fed_cm/config.json

  {
  "accounts_endpoint": "/fed_cm/accounts",
  "client_metadata_endpoint": "/fed_cm/client-metadata",
  "id_assertion_endpoint": "/fed_cm/assertion",
  "login_url": "/login/",
  "branding": {
    "background_color": "#1877F2",
    "color": "#FFFFFF",
    "icons": [{ "url": "...", "size": 32 }]
  }
}

The login_url field is where the browser sends the user when they are not currently logged into Facebook.

Account fetching

The browser sends a credentialed request to the accounts endpoint:

 GET https://www.facebook.com/fed_cm/accounts
Sec-Fetch-Dest: webidentity
Cookie: [user's facebook.com session cookies]

This request is made by the browser, not by your site’s JavaScript. Your site cannot intercept, read, or modify this request. The Sec-Fetch-Dest: webidentity header cannot be set by JavaScript and is validated server-side. Facebook’s session cookies are only used in this browser-to-Facebook leg — no cookies are set on your domain.

Token issuance

After the user consents in the browser picker, the browser sends a POST to the assertion endpoint:

 POST https://www.facebook.com/fed_cm/assertion
Sec-Fetch-Dest: webidentity
Content-Type: application/x-www-form-urlencoded

client_id=YOUR_APP_ID&account_id=USER_ID&nonce=...&scope=public_profile,email

Facebook validates the request, checks app permissions, and returns a credential token. The FedCM spec defines a generic token field — Facebook returns an OAuth access token in it. The SDK parses this and passes it to your callback as the standard authResponse object.

If you integrate with the FedCM API directly without the SDK, the token is on the resolved IdentityCredential :

 const credential = await navigator.credentials.get({
  identity: {
    providers: [{
      configURL: 'https://www.facebook.com/fed_cm/config.json',
      clientId: 'YOUR_APP_ID'
    }]
  }
});
const token = credential.token; // Facebook OAuth access token

Privacy properties

FedCM is designed to prevent identity tracking:

The accounts request omits Referer and Origin , so Facebook cannot identify the requesting site until the user explicitly consents.

Authentication uses first-party facebook.com cookies only — no third-party cookies are set on your domain.

The user must explicitly choose to share their identity in the browser’s native UI. There is no silent or passive tracking.

FAQ

Do I need to register my app differently for FedCM?No. FedCM uses your existing Facebook App ID and app configuration. No additional registration or review is required.

Will my existing Facebook Login integration break?No. FedCM is opt-in via the fedCM parameter in FB.init() . Existing integrations continue to work unchanged until you add the option.

What happens if the user is not logged into Facebook?FedCM requires an active Facebook session. If the user is not signed in, the SDK falls back to the standard popup flow where they can enter credentials.

Can I use FedCM with the Login Button plugin (XFBML)?Yes. When FedCM is enabled, the Login Button’s FB.login() call uses FedCM on supported browsers.

Does FedCM work with Facebook Login for Business ?FedCM works with the standard Facebook Login product. Support for Login for Business configurations is planned for a future release.

Does FedCM work in Facebook Canvas or Page Tab apps?No. The SDK uses the standard popup flow in these contexts and the fedCM option has no effect.

How do I test FedCM during development?

Use Chrome 131 or later with HTTPS — localhost with a self-signed certificate works.

Enable FedCM in your FB.init() call.

Open Chrome DevTools → Application→ Federated Credential Managementto inspect FedCM state.

What happens when the user dismisses the prompt?The callback receives {status: 'unknown'} . The SDK does not fall back to the popup. For auto-prompting, the browser enters a cooldown period before the prompt reappears.

What’s next

FedCM support is actively evolving:

Broader browser coverage as Firefox and Safari implement the specification.

Multi-IdP coordination improvements for sites that offer Facebook and other social logins.

Adoption and conversion analytics in App Dashboard.

Disconnect API support so users can revoke consent through browser settings.

Facebook Login for Business compatibility.

Chrome FedCM documentation ⁠

Facebook Developer Community Forum

Bug Report tool