Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
META API · ACCESS TOKENS

Your Meta API integration runs fine for weeks. Then one night a token expires, every scheduled job returns error 190 ("Access token has expired"), and your clients' posts, messages, and syncs silently stop. If your platform is still running production automation on a personal user access token, this failure is built into your architecture — and the fix is not another token refresh script. It is switching to the right token type: the Meta system user access token.

The short version: user access tokens represent a person and expire; system user tokens represent your business software and are designed for long-lived, unattended API access; Business Integration System User (BISU) tokens are the per-client variant tech providers use for onboarded customer accounts. Choosing the wrong one is a structural mistake that shows up later as outages, permission errors, and failed App Review submissions.

The Three Token Types Meta Actually Gives You

User Access Token

Tied to a real person who logged in. Short- or long-lived, but it depends on that person's session, role, and account status. If the employee leaves, changes their password, or gets checkpointed, your integration breaks. Fine for testing — risky as production infrastructure.

System User Access Token

Belongs to a "system user" — an entity inside your Meta business portfolio that represents software, not a person. Built for programmatic, automated actions without user input or re-authentication. Tokens can be generated as long-lived, including tokens that do not expire, which is why this is the standard model for Marketing API and WhatsApp Cloud API backends.

Business Integration System User (BISU) Token

The per-customer token model for Tech Providers and Solution Partners. Each token is scoped to one onboarded client business and is obtained by exchanging the code returned when that client completes Embedded Signup. Your own system user token is for your assets — BISU tokens are for theirs.

Admin vs Employee System Users — the Role Decision

Admin System User

Has broad default access — for WhatsApp, an admin system user can access all WhatsApp Business Accounts owned by or shared with your business portfolio by default. Powerful, but over-provisioned for most single-purpose integrations, and a bigger blast radius if the token leaks.

Employee System User

Only accesses the assets explicitly assigned to it. This is the least-privilege option — the right default for most production integrations, but it fails with permission errors if asset assignment is skipped or incomplete.

How the Setup Actually Flows (High Level)

1
Business portfolio prerequisites.

System users live inside a Meta business portfolio (Business Manager). Your app must be connected to that portfolio, and depending on what you access, Business Verification and app-level requirements come first. Skipping this order is where many setups stall on day one.

2
Create the system user and choose its role.

Admin or employee — the decision above. The number of system users you can create is limited, so platforms with many integrations need to plan this rather than create one per experiment.

3
Install the app and assign assets.

The system user must install your app before it can generate a token for it, and the assets it will touch — Pages, ad accounts, WABAs, catalogs — must be assigned with the right level of control. Most "token works in Graph API Explorer but fails in production" cases trace back to this step.

4
Generate the token with the right permission scopes.

The scopes you can select are bounded by what your app is approved for. If a permission never passed App Review / Advanced Access, it does not matter that the checkbox exists — the token will not deliver live-data access. Token generation is where your App Review history catches up with you.

Where SaaS Platforms Get Stuck

The five failure patterns we see most

  • Production running on a personal token. Everything works until the person behind the token leaves the company, resets a password, or trips a security checkpoint — then every client integration fails at once.
  • Token generated before permissions were approved. The token exists but calls fail or return empty data, because the underlying permissions never got through App Review or Advanced Access for live mode.
  • Admin/employee role confusion. An employee system user with no assets assigned returns permission errors that look like app problems; an admin system user everywhere is an audit and security finding waiting to happen.
  • App not connected to the business portfolio, or assets never assigned. The token generates, but the asset relationships behind it are missing — the most common source of "(#200) permission" errors in otherwise correct code.
  • Tech providers using their own system user token for client WABAs. Client accounts must run on BISU tokens obtained through Embedded Signup — using your own portfolio token for customer assets is the wrong architecture and breaks at scale.

Why This Is Harder Than It Looks

The token itself takes minutes to generate. What takes weeks is everything the token depends on: a correctly structured business portfolio, Business Verification, an app with the right type and use cases, permissions that have actually passed App Review, correct asset assignment, and — for tech providers — a working Embedded Signup implementation to mint per-client BISU tokens. Every one of those layers has its own review process and its own rejection reasons, and the error messages rarely tell you which layer is broken.

That is the work I do: I audit the portfolio and app configuration, map which token type your architecture actually needs, prepare and submit the App Review / Advanced Access requests the token depends on, and set up the asset and permission structure so the token you generate is one your integration can actually run on.

Related reading on this site: how WhatsApp Embedded Signup and Tech Provider onboarding works (the flow that produces BISU tokens), what Meta Advanced Access means for the permissions behind your token, and my Facebook App Review service if your permissions are the blocker. If token architecture is not something your team wants to own, you can bring in a Meta API developer to build and hand it over.

Token keeps expiring? Permission errors you can't trace?

Send me your setup — app type, what you're integrating, and the error — and I'll tell you which layer is broken and what it takes to fix it.

Meta makes all App Review, permission, verification, and token policy decisions independently. Outcomes and timelines cannot be guaranteed. This site is not affiliated with or endorsed by Meta Platforms, Inc. Details verified against official Meta developer documentation (Business Management APIs — System Users; WhatsApp Access Tokens guide) as of July 2026.