Connecting Meta safely: how OAuth protects your ad account

How OAuth account access actually works, which permissions an ads tool should request, what we never ask for, and how to revoke access at any time.

3 min read · Updated

To read your campaign numbers, Flowjat needs permission to talk to your ad account. It does this with OAuth, the same “Sign in / Allow access” flow you’ve used to connect apps before. If you’ve ever clicked “Continue with Google”, you’ve used it.

Handing any tool access to the account where your money lives deserves a clear explanation. Here is what actually happens, in plain terms — and the red flags that should make you close the tab, with any tool.

What OAuth is

OAuth lets you grant a tool limited access to your account without ever giving it your password. The flow has three parties: you, Meta, and the tool asking for access. The tool never sits between you and your password — it’s redirected out of the room while you log in.

What the tool receives at the end is a token: a revocable key that only opens the specific doors you approved. Not your credentials. Not your profile. Not a blank cheque.

What happens when you click “Connect”, step by step

  1. You’re sent to Meta’s own login page. Check the address bar: it should say facebook.com. You log in there — the tool never sees what you type.
  2. Meta shows you exactly what’s being requested. The permission screen lists the scopes: which data, on which ad accounts. Read it — it’s short.
  3. You approve (or don’t). Nothing happens without this click.
  4. Meta hands the tool a scoped token. You’re returned to the tool, and your campaign data starts flowing in.

The whole exchange takes under a minute, and at no point did your password leave Meta’s page.

What we ask for — and what we don’t

  • We never see your password. You enter it on Meta, not on Flowjat. That’s structural, not a promise.
  • We ask for the narrowest access that does the job: reading your ad performance data. Not posting on your behalf, not messaging your contacts, not touching your personal profile.
  • Nothing changes without your approval. Where Flowjat proposes a change to a campaign, you review and approve it explicitly before it’s applied.
  • You stay in control. Revoke access at any time from Meta’s business settings, and the connection stops working immediately.

Red flags — for any tool, not just ours

A quick checklist worth keeping for every ads tool you evaluate:

  • It asks you to type your ad-platform password into its own form. Never. Legitimate tools always send you to the platform’s page.
  • The permission screen requests far more than the job needs — posting rights, friends lists, messaging — for what’s supposed to be a reporting tool.
  • The login page’s domain isn’t the platform’s. facebook.com, not a lookalike.
  • There’s no obvious way to disconnect or no explanation of what happens to your data when you do. (Ours is on the data deletion page.)

How to revoke access

You can cut the connection at any time, from either side:

  1. From Meta: Settings → Security → Apps and Websites (or Business Integrations for business accounts) → find the tool → Remove. The token is invalidated immediately.
  2. From Flowjat: disconnect the platform from your integrations settings.

Revoking access breaks the tool’s ability to read anything new, instantly.

The same rules for every platform

Everything above applies to every platform Flowjat supports — Google, TikTok, Apple Search Ads, and the revenue tools like Stripe — not just Meta. Same OAuth flow, same narrow scopes, same revocability. For the current, honest status of each connection, see the integrations page. For how your data is handled once connected, read the privacy policy or our security page.

Once you’re connected, the next step is knowing what to look at: reading your ad reports covers the metrics that matter.

Common questions

Does Flowjat ever see my Facebook password?

No — and it can't. With OAuth you type your password on Meta's own login page, never on Flowjat. Meta then issues Flowjat a limited, revocable token. If you ever find a tool asking you to type your ad-platform password into its own form, close the tab.

Can Flowjat spend money or change my campaigns without me?

No. The connection is scoped to reading your ad performance data. Where Flowjat proposes a change, you approve it explicitly before anything is applied — approval is the product's core design rule, not a setting you have to find.

How do I revoke Flowjat's access to my Meta account?

In Meta's settings, open Business Integrations (or Settings → Security → Apps and Websites), find Flowjat, and remove it. The token stops working immediately. You can also disconnect from inside Flowjat, and request data deletion on our data-deletion page.

Ready to put this into practice? Create a free account and connect your first platform as the integrations go live.

Connect your accounts and see what your spend returns.

Setup takes a couple of minutes, and you approve every change before it goes live.

Start free