How to Add Facebook Login to an Expo App

When we set out to add Facebook Login to our app, it seemed like a small, straightforward task. The kind you could knock out in an afternoon. After all, what could be simpler than a “Continue with Facebook” button?

But what started as a quick feature turned into several days of research, trial and error, and backend customizations. Especially once we realized that iOS, Facebook’s Limited Login, and Firebase weren’t exactly getting along. The goal was simple. Let users sign up with Facebook. No email required. No password needed. Just a smooth tap-and-go experience.

Here’s how that simple login button turned into a surprisingly complex (but rewarding) technical journey.

Why Choose Facebook Login for Your App

We were working on Shift, a mobile app for car management built with Expo (React Native) and Firebase. It helps users track maintenance, book services, and share access with family or co-owners. The app is designed to make everyday tasks around car ownership easier, especially when more than one person uses the same vehicle.

From the beginning, we wanted the sign-up process to be as simple as possible. The initial requirement was clear — it had to work smoothly on mobile without requiring long forms or passwords. This is especially important on mobile platforms, where Apple encourages developers to offer alternative login methods beyond the traditional email and password.

To meet that need, we decided to integrate Facebook Login. It seemed like a good fit: a recognizable platform, a fast sign-in experience, and support for a lightweight onboarding flow. In theory, it would let users get started with just one tap.

In practice, it turned out to be more involved.

What Actually Happens When You Tap "Continue with Facebook"?

From the outside, it looks like a simple button. But when someone taps "Continue with Facebook," several things happen in the background. Here's what the typical flow looks like:

1. The app opens a Facebook login screen.
2. The user confirms that they want to continue.
3. Facebook responds with a token that confirms the user's identity.
4. That token is passed to Firebase, which uses it to either sign in the user or create a new account.

It's a standard third-party authentication setup: Facebook handles the login, and Firebase handles user management. When everything works as expected, the process feels seamless. No forms, no passwords. Just a smooth entry into the app.

And that's exactly what happened on Android. But on iOS, the same flow didn't work. Not because of a bug in our code, but because of how Facebook and Apple now handle login permissions on iOS devices.

What Worked on Android

On Android, everything went according to plan. We used Facebook's login flow to request basic profile access, and the system returned an authentication token. That token could be passed directly to Firebase using signInWithCredential, which completed the sign-in process without any issues.

There was no need for extra steps, backend checks, or custom logic. Firebase recognized the token, linked it to a user account, and allowed access instantly.

From a development perspective, this was the ideal scenario: minimal configuration, native support, and full compatibility between Facebook and Firebase.

Here’s what the code looked like on Android:

Simple and reliable. But on iOS, things took a different turn.

Why It Didn't Work on iOS

On iOS, the same code didn't work, even though it looked almost identical.

Instead of returning a standard access token, Facebook used something called Limited Login, a privacy-focused mode introduced to comply with Apple's guidelines. With Limited Login enabled, Facebook doesn't return the kind of token that Firebase expects.

Firebase requires a valid access token to authenticate users through third-party providers. But Limited Login only gives an id_token, which isn't compatible out of the box.

That meant we couldn't just call signInWithCredential like we did on Android. Firebase would reject the token, and the login would fail.

Why Limited Login exists

Apple encourages apps to collect as little user data as possible. Limited Login supports this by allowing authentication without sharing information like email or friends list — and by returning only a token suitable for basic identification, not full access.

In theory, that's great for privacy. But in our case, it broke the standard integration flow with Firebase. To make login work on iOS, we had to take a completely different approach.

We initially explored several standardized solutions, including those suggested in Firebase's documentation. Unfortunately, most of them assumed we were building a fully native app, but our project was built with React Native using Expo.

Firebase provides documentation for integrating Facebook Login with native iOS and Android apps, as well as with Web. But Expo was left out entirely. That meant we couldn't rely on official guidance to handle the iOS flow.

We also looked into third-party libraries and community packages. While some offered partial support, none of them provided a complete, plug-and-play solution that worked within Expo and respected Apple's privacy guidelines while also returning a token Firebase could use.

How We Solved It on iOS

Since Firebase couldn't accept the token returned by Facebook's Limited Login, we had to handle the verification ourselves. We did it outside of Firebase and then created a custom token that Firebase would trust.

This required building a backend flow that could:

1. Receive the authenticationToken (returned by Facebook on iOS).
2. Verify that token using Facebook's public keys.
3. Extract user data from the verified token (like name, profile picture, Facebook UID).
4. Create or update a Firebase user based on the Facebook UID.
5. Generate a custom Firebase token.
6. Return that token to the client so the user could sign in.

This approach gave us full control over the authentication process and made it possible to work around the limitations of iOS.

Here's what the code looked like on the backend:

Once the client received the custom token, it could complete the login using:

ts await signInWithCustomToken(auth, customToken);

It wasn’t as straightforward as Android, but it gave us a working and secure login experience on iOS fully compatible with Facebook’s privacy rules and Firebase’s authentication system.

What We Learned

This integration turned out to be much more complex than expected — not because of Facebook or Firebase alone, but because of how they interact under modern privacy rules, especially on iOS.

Here's what stood out:

• Firebase's documentation doesn't cover every case. Especially when it comes to using Facebook Login with Expo and Limited Login, there's a gap in official guidance.
• Limited Login changes everything. On iOS, Facebook now returns a different type of token, which breaks many standard third-party authentication flows.
• A custom backend is sometimes necessary. If you need flexibility (like handling tokens manually or skipping extra permissions), a backend that can validate tokens and generate Firebase credentials becomes essential.

Final Thoughts

This feature turned out to be less about plugging in Facebook Login and more about understanding how different systems handle identity and privacy.

We had to adjust our approach depending on the platform using standard methods on Android, and a custom backend flow on iOS. It took more time than expected, but now the login experience works reliably across both platforms.

If you're building with Expo and Firebase and running into unexpected issues with Facebook Login, especially on iOS, you're not the only one. The flow is possible, but it may take a few extra steps.