Following our recent challenges with Google's API changes, we're facing a similar situation with Facebook. Despite successfully passing Facebook's annual security audits for years, their 2025 requirements have introduced demands that are incompatible with modern distributed work environments and, frankly, counterproductive to actual security. As a result, we can no longer maintain Transloadit's Facebook OAuth app, though customers can still use the integration with their own credentials.

What happened?

Every year, Facebook conducts security audits for apps that integrate with their platform. We've consistently passed these audits by demonstrating our robust security practices. This year, however, Facebook added a requirement that fundamentally misunderstands how modern tech companies operate: it now demands that we install antivirus software on all workstations and distribute definition updates from a central server.

Why this doesn't work for us (or many modern companies)

First, there's the reality of a distributed workforce. Transloadit operates with a team of skilled freelancers who exclusively work on their own devices – in our case MacBooks. These are personal machines, not company-owned hardware. Installing centralized management software on personal devices would violate privacy laws in multiple jurisdictions, require a level of device control that's inappropriate for contractor relationships, and create security vulnerabilities by granting us root-level access to personal machines

Facebook's recent demand also runs counter to modern security architecture. Our security model follows zero-trust principles. This means that we assume all endpoints could be compromised and enforce security at the server/API level, where data actually flows. This is more secure than relying on endpoint antivirus, which can provide a false sense of security.

Lastly, there are platform-specific considerations to keep in mind – something which Facebook fails to do with its new requirement. All of our team members use macOS, which includes XProtect: Apple's built-in antivirus system, which is updated automatically. Installing third-party antivirus software with kernel-level access on top of it would actually decrease security by introducing additional attack surfaces.

What we do instead

While we won't centrally push antivirus updates to freelancers' personal macOS devices, we maintain security through:

  • Contractual obligations: all of our team members sign agreements requiring:

    • Automatic updates enabled on OS and critical software
    • Full disk encryption
    • Two-factor authentication on all critical services
    • Regular security training

  • Server-side protection: where Facebook data actually flows, we maintain:

    • ClamAV scanning on incoming files
    • Automated daily OS and security updates
    • Comprehensive logging and monitoring
    • Security audits by third parties
    • Continuous penetration testing

  • Infrastructure isolation: production systems are completely isolated from developer workstations, with access controlled through SSH keys and IP allowlisting.

The exhausting back-and-forth

Despite providing extensive evidence of our security practices and detailing why centralized endpoint management is both impossible and unnecessary for our distributed contractor model, Facebook's review process remained inflexible. We provided:

  • Screenshots of our automated server update systems
  • Logs proving daily security updates in production
  • Evidence of ClamAV running on all servers processing user data
  • Documentation of our contractual security requirements
  • Proof that we've run over 52,000 antivirus scans in a 48-hour period

Yet the responses kept demanding "a centralized console where macOS updates are pushed to all user devices". This is a frankly preposterous requirement that mostly serves to demonstrate a fundamental disconnect between enterprise IT and the way in which modern distributed teams actually operate.

Making a difficult decision

After months of going back and forth, it became clear that Facebook's security assessment process is designed for traditional enterprises with company-owned hardware and centralized IT departments. It doesn't accommodate modern distributed work arrangements, contractor-based teams, zero-trust security architectures, and the legal realities of managing personal devices.

Continuing to fight this would require resources we simply don't have as a small company that is focused on building great file uploading experiences. More importantly, complying with these requirements would actually reduce our security posture by forcing us to install unnecessary software with deep system access on machines we don't own.

Impact on our customers

We are deeply sorry for the trouble this causes. We know many of you rely on the Facebook integration for your applications, and breaking changes like this are frustrating. We've tried our best to maintain this integration, but we're not willing to put up a security theater that would put our team members' personal devices at risk. We hope Facebook will ultimately reconsider its position, but we're not holding our breath.

The path forward: use your own credentials

The good news is that the Facebook integration in Uppy itself remains fully functional. You can continue using it by:

  1. Creating your own Facebook app at developers.facebook.com
  2. Going through Facebook's verification process yourself (be prepared for the requirements mentioned above)
  3. Configuring Uppy to use your credentials with either:
    • Your own Companion server
    • Transloadit's hosted Companion with custom credentials

Setting up custom credentials with Transloadit

If you're using Transloadit's hosted Companion service, you can provide your own OAuth credentials:

uppy.use(Facebook, {
  companionUrl: 'https://api2.transloadit.com/companion',
  companionHeaders: {
    'Transloadit-OAuth-Credentials': JSON.stringify({
      key: 'YOUR_FACEBOOK_APP_ID',
      secret: 'YOUR_FACEBOOK_APP_SECRET',
    }),
  },
})

For detailed instructions, see our guide on using custom credentials.

A broader pattern

This isn't just about Facebook or Google. It's about a growing disconnect between the way large platforms approach security and how modern companies actually operate. The assumption is made that every company has company-owned devices, centralized IT management, Windows-based infrastructure, and traditional employee relationships.

That is clearly out of touch with reality – and increasingly so. Many of today's most innovative companies work with distributed teams, contractor relationships, and BYOD policies. Security models need to evolve to recognize that centralized endpoint management isn't always possible – or even desirable.

Looking ahead

We'll continue to support the Facebook plugin in Uppy and help customers who want to maintain their own integrations. We're also exploring alternative approaches that might avoid these onerous requirements, similar to our Google Picker plugins.

We remain committed to providing the best file uploading experience possible, even as the landscape of third-party integrations becomes increasingly challenging. Thank you for your understanding and continued support.

Do you have further questions or need help migrating? Our support team is ready to help you set up your own Facebook credentials or explore alternative solutions. Contact us and we'll be happy to guide you through the process.