What the Instagram messaging permission unlocks
The messaging permission lets your app receive and send direct messages on behalf of an Instagram professional account through the API — the foundation for any DM automation, chatbot, or shared-inbox tool. The exact scope name depends on which login setup you build on.
instagram_business_manage_messages
The messaging scope when you build on Business Login for Instagram (users sign in with Instagram credentials).
instagram_manage_messages
The equivalent when you build on Facebook Login for Business, sending and receiving via the Messenger Platform’s Instagram messaging API.
24-hour standard messaging window
Your app can respond to a user within 24 hours of their message — the core policy your use case must respect.
Human agent tag (7 days)
For issues a bot cannot resolve, the human-agent tag allows a person to respond up to 7 days later — but it must be justified.
Why Meta makes messaging hard to approve
Messaging touches private user conversations, so Meta scrutinises it more than read-only scopes. By default your app has Standard Access, which only works for accounts with a role on the app. To handle DMs for real clients you do not own, you need Advanced Access — gated behind App Review and Business Verification.
Advanced Access plus Business Verification
Serving client accounts requires Advanced Access, which only comes through a successful App Review on a verified Meta Business portfolio. Skipping verification blocks the permission outright. See our guide to Meta Advanced Access.
Dependency permissions travel together
Messaging does not approve in isolation — the base Instagram permission and supporting scopes must be requested in the same submission with a clear, consistent use case, or the whole thing is rejected. On Business Login that base scope is the instagram_business_basic permission (the counterpart of instagram_basic on Facebook Login) — it must sit alongside the instagram_business_manage_messages permission in the same request.
The messaging window and automation policy
Your flow has to respect the 24-hour window and Meta’s rules for automated experiences, including disclosing to users when they are talking to a bot. A use case that looks like it bypasses these rules gets declined.
The screencast must show a real DM flow
Reviewers need to watch a test user message the account and your app receive and reply through the API — login, consent for the messaging scope, and the actual send/receive. A flow they cannot reproduce fails.
How the approval process runs
Getting the messaging permission approved follows a fixed sequence. Each stage has to be right before the next matters — this is the part we handle end to end.
Confirm the correct login setup and map the messaging scope plus every dependency for your exact use case.
Complete Business Verification and align the privacy policy, data handling and automation disclosures with messaging policy.
Stand up a reviewer-ready environment with test users where the full receive-and-reply DM flow works without errors.
Record a screencast that shows consent for the messaging scope and a real DM exchange, paired with a matching written justification.
Submit, monitor the review, and if the messaging scope comes back, fix the precise reason and resubmit without disturbing approved scopes.
What approval looks like on the other side
For a real example of a multi-permission messaging approval, see our Instagram messaging SaaS case study. For what an Instagram API project typically involves in budget terms, see the Instagram API cost and pricing guide.