Facebook Login in Unity without the SDK
Facebook login in Unity used to mean importing the Facebook SDK, fighting its Gradle and manifest requirements, and updating it every time it drifted out of sync with your build tools. You don't need any of that to let players sign in with Facebook. This guide does it through the Graph API with no SDK in your project — and covers the App Review step that quietly blocks most first attempts.
No SDK, but read the App Review part first
The good news: there's nothing to import. Oathwall runs Facebook's OAuth flow server-side against the Graph API, so your Unity project stays clean and your app secret never ships in the build.
The part that catches people is Meta's review process, not the code. A new Facebook app starts in development mode. In that mode, only people with a role on the app — admins, developers, and testers you explicitly add — can log in, and only they get an email back. To let the general public sign in and to receive their email, you have to submit the email permission for App Review and get advanced access. Plan for that before launch day; it's not instant.
So the honest sequence is: build and test with your own accounts now, submit for review well before you ship.
Step 1: Create a Meta app
- Go to developers.facebook.com and create an app. Choose a type that offers Facebook Login (the "Authenticate and request data from users" use case).
- Add the Facebook Login product to the app.
- In Facebook Login → Settings, add this to Valid OAuth Redirect URIs, exactly:
https://sso.oathwall.com/auth/callback
- From Settings → Basic, copy the App ID and App Secret. While you're there, set the Privacy Policy URL and a Data Deletion method — Meta requires both, and it'll block advanced access until they're present.
- Under App Review → Permissions and Features, request advanced access for
email(andpublic_profile, which is usually granted by default).
Step 2: Paste your credentials into Oathwall
In the Oathwall dashboard, add Facebook as a provider and paste the App ID and App Secret. The secret now lives server-side and is used for the token exchange on Oathwall's servers — it's out of your build for good. The public appKey is the only identifier your game carries.
Step 3: Wire it up in Unity
Same base class, same one-line call:
using PixitGames.SSOLoginKit;
public class LoginManager : SsoClientBase
{
// No Facebook SDK, no app secret in the build.
// Same flow as every other provider.
public void OnFacebookButton() => StartLogin("facebook");
protected override void OnLoginSuccess(LoginResult user)
{
// user.email may be null if the email permission
// isn't approved yet, or the account has none.
LinkPlayer(user.id, user.email);
}
}
StartLogin("facebook") opens Facebook's login dialog in the system browser. Oathwall exchanges the code, calls the Graph API for id, name, email, and picture, and returns the result. You'll always get the id; whether the email is populated depends on the review status and the account itself.
The gotchas worth knowing
Development mode hides the failure. During testing everything works — because you're an admin on the app. The email-permission wall only appears when a real player who isn't on your app's roles tries to sign in. If you test only with your own account, you won't see the problem until launch. Add a non-role test account, or check the review status, before you ship.
Email isn't guaranteed even when approved. A Facebook account can lack a usable email, or the user can decline to share it. Treat user.email as optional and key your player records on the stable user.id — the same discipline Discord and Steam push you toward.
Graph API versions move. Meta pins the login to a Graph API version and deprecates old ones on a schedule. Oathwall tracks the endpoint version server-side, so you're not the one editing a version string in a shipped build when Meta bumps it.
For the flow behind all of this, OAuth 2.0 explained for game developers walks through what the "code" and "token" actually are, and the Unity authentication guide shows Facebook sitting alongside Google, Apple, and the rest under one login class.
Oathwall is available on the Unity Asset Store. Its free plan covers development, so you can build and test the Facebook flow while your App Review is pending.
Frequently asked questions
- Do I need the Facebook SDK to add Facebook login to Unity?
- No. Oathwall runs the OAuth flow against Facebook's Graph API on its servers, so there's no Facebook SDK, native plugin, or Gradle wrangling in your project. Your game opens the system browser and gets the result back.
- Why doesn't Facebook login return an email for real users?
- The email permission needs Meta's App Review before it works for people outside your app's roles. While the app is in development mode, only admins, developers, and testers you've added can log in and return an email. Submit the email permission for review before you launch publicly.
- Is my Facebook app secret shipped in the build?
- No. The app secret is stored server-side in the Oathwall dashboard and used during the token exchange on Oathwall's servers. Your build only carries the public appKey.
- What data comes back from a Facebook login?
- Oathwall requests id, name, email, and picture from the Graph API. You reliably get the id and name; the email depends on the permission being approved and the user having a verified address on their account.
- Does Meta require anything else before launch?
- Yes. Meta expects a privacy policy URL and a data deletion method (a callback URL or instructions) on the app, and business verification for some permissions. Set these up on the Meta app before you request advanced access to email.