To read your campaign numbers, Flowjat needs permission to talk to your ad account. It does this with OAuth, the same “Sign in / Allow access” flow you’ve used to connect apps before. If you’ve ever clicked “Continue with Google”, you’ve used it.
Handing any tool access to the account where your money lives deserves a clear explanation. Here is what actually happens, in plain terms — and the red flags that should make you close the tab, with any tool.
What OAuth is
OAuth lets you grant a tool limited access to your account without ever giving it your password. The flow has three parties: you, Meta, and the tool asking for access. The tool never sits between you and your password — it’s redirected out of the room while you log in.
What the tool receives at the end is a token: a revocable key that only opens the specific doors you approved. Not your credentials. Not your profile. Not a blank cheque.
What happens when you click “Connect”, step by step
- You’re sent to Meta’s own login page. Check the address bar: it should
say
facebook.com. You log in there — the tool never sees what you type. - Meta shows you exactly what’s being requested. The permission screen lists the scopes: which data, on which ad accounts. Read it — it’s short.
- You approve (or don’t). Nothing happens without this click.
- Meta hands the tool a scoped token. You’re returned to the tool, and your campaign data starts flowing in.
The whole exchange takes under a minute, and at no point did your password leave Meta’s page.
What we ask for — and what we don’t
- We never see your password. You enter it on Meta, not on Flowjat. That’s structural, not a promise.
- We ask for the narrowest access that does the job: reading your ad performance data. Not posting on your behalf, not messaging your contacts, not touching your personal profile.
- Nothing changes without your approval. Where Flowjat proposes a change to a campaign, you review and approve it explicitly before it’s applied.
- You stay in control. Revoke access at any time from Meta’s business settings, and the connection stops working immediately.
Red flags — for any tool, not just ours
A quick checklist worth keeping for every ads tool you evaluate:
- It asks you to type your ad-platform password into its own form. Never. Legitimate tools always send you to the platform’s page.
- The permission screen requests far more than the job needs — posting rights, friends lists, messaging — for what’s supposed to be a reporting tool.
- The login page’s domain isn’t the platform’s.
facebook.com, not a lookalike. - There’s no obvious way to disconnect or no explanation of what happens to your data when you do. (Ours is on the data deletion page.)
How to revoke access
You can cut the connection at any time, from either side:
- From Meta: Settings → Security → Apps and Websites (or Business Integrations for business accounts) → find the tool → Remove. The token is invalidated immediately.
- From Flowjat: disconnect the platform from your integrations settings.
Revoking access breaks the tool’s ability to read anything new, instantly.
The same rules for every platform
Everything above applies to every platform Flowjat supports — Google, TikTok, Apple Search Ads, and the revenue tools like Stripe — not just Meta. Same OAuth flow, same narrow scopes, same revocability. For the current, honest status of each connection, see the integrations page. For how your data is handled once connected, read the privacy policy or our security page.
Once you’re connected, the next step is knowing what to look at: reading your ad reports covers the metrics that matter.