Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
Instagram Graph API — 2026

Instagram API Advanced Access: The Gate Between Testing and Real Clients

Your app works fine for your own Instagram account. Apps still relying on old Basic Display tokens must migrate to the Graph API, and here is what the Basic Display API shutdown means. Test users authenticate without issues. Then the first paying client tries to connect — and the API returns permission errors or simply refuses to authorize. This is the Standard Access wall. Crossing it requires Meta App Review for Advanced Access, and the process has several steps most developers miss the first time.

Standard Access vs Advanced Access — what actually changes

Standard Access (default)

  • Available immediately — no App Review needed
  • Limited to people with roles on your app: developers, testers, admins
  • App can only serve Instagram accounts you personally own or manage
  • Some features may not function correctly even for test accounts
  • Never suitable for onboarding real, third-party client accounts

Advanced Access (required for real clients)

  • Unlocks your app for users with no role assigned on it
  • Required for serving Instagram Business and Creator accounts you do not own
  • Requires Business Verification AND Meta App Review
  • Each permission is reviewed and approved separately
  • No practical cap on the number of Instagram accounts your app can serve once approved

Which Instagram permissions require Advanced Access?

Instagram has two API configurations depending on how users authenticate. The permissions you can request depend on the login path, so check which Instagram API path your app needs before you submit for review. All permissions in both configurations require Advanced Access to serve accounts outside your own — Standard Access covers only role-assigned accounts in all cases.

Instagram Login (Business Login for Instagram)

  • instagram_business_basic
  • instagram_business_content_publish
  • instagram_business_manage_comments
  • instagram_business_manage_messages
  • Human Agent feature (7-day messaging window)

Facebook Login (Facebook Login for Business)

  • instagram_basic
  • instagram_content_publish
  • instagram_manage_comments
  • instagram_manage_insights
  • instagram_manage_messages
  • pages_show_list, pages_read_engagement
  • Instagram Public Content Access (Hashtag Search)

Why Standard Access breaks production apps (and hides the problem during testing)

  • Client authorization silently fails: When a real client clicks your OAuth flow, Instagram checks app roles. The client is not a developer or tester on your app, so authorization is blocked or returns empty data — no clear error message, just no access.
  • Development Mode vs Live Mode gap: Permissions that worked during development stop working correctly in production because Live Mode Advanced Access has not been approved via App Review.
  • Meta’s own documentation states: “Some features might not work properly until your app has been granted Advanced Access.” This is not a bug or a misconfiguration — it is the intended gate.
  • Invisible until the first real client: If you only tested with your own account or accounts you manage, Standard Access works fine. The wall only appears when a non-role user tries to connect. By that point, the product may already be launched.

What Instagram API Advanced Access approval actually requires

1

Switch your app to Live Mode

Your Meta app must be in Live Mode before submitting for App Review. Apps in Development Mode are blocked from receiving Advanced Access. Switching to Live Mode while only having Standard Access is the point where most teams first see the Standard Access wall on real accounts.

2

Complete Meta Business Verification

Advanced Access requires your business identity to be verified in Meta Business Manager before App Review can succeed. Business Verification has its own documentation requirements and is a common independent rejection point. Attempting App Review before Verification passes is the most common sequence mistake. See our guide to Meta Business Verification.

3

Publish a valid privacy policy

Your privacy policy must be reachable via a public HTTPS URL, hosted on the same domain as your app, and specifically disclose how your app handles Instagram and Facebook user data — what you access, how you use it, retention period, and how users can request deletion.

4

Add a data deletion URL (required for Facebook Login apps)

Apps using Facebook Login for Business that handle Facebook user data must provide either a Data Deletion Callback URL or a Data Deletion Instructions URL in the App Dashboard. This is one of the most commonly missing requirements and causes automatic App Review rejection. Learn more about the Facebook data deletion callback URL requirement.

5

Write per-permission use-case justifications

For each permission you request, Meta requires a written justification explaining exactly which feature depends on it, why a narrower scope would not work, and how the data is used. Generic justifications — “we need this for our social features” — trigger rejection. Each permission is evaluated individually.

6

Submit a screencast for each permission

For each permission, you must record a demo video showing the complete OAuth authorization flow using a real Instagram Business or Creator account (not a test user), and showing that permission’s data rendering in your app’s front-end. The reviewer must be able to reproduce every step. One screencast per permission — not a single combined video.

Why Instagram Advanced Access requests get rejected

  • Screencast uses a test user account — App Review requires a real Instagram Business or Creator account, not a developer test user assigned in the App Dashboard
  • OAuth consent screen missing from the screencast — reviewers must see the user explicitly granting permissions during the flow
  • Requested data not rendered in the app after authorization — a success token or console log is not enough; the data must visibly appear in the app’s front-end
  • Business Verification not completed before App Review submission — the most common sequencing mistake; both are required but Verification must come first
  • Privacy policy on a different domain — must be on the same domain as the app’s homepage URL listed in the App Dashboard
  • Data deletion URL missing — required for Facebook Login apps; absence causes automatic rejection
  • Permissions requested but not demonstrated — any permission the screencast does not show being actively used will be removed or rejected
  • Vague per-permission justifications — Meta expects concrete feature names and specific data-use explanations for every scope

What changes after Advanced Access is approved

Once Meta approves Advanced Access for each permission, your app can onboard any Instagram Business or Creator account without role restrictions. There is no per-client approval and no user cap. Advanced Access does not raise the impression-based ceiling, so read why your Instagram app hits 429 errors for how the quota really scales. The approved permissions apply to every new account that connects through your OAuth flow — meaning one successful App Review unlocks your app for all future clients using those permissions.

For a deeper look at what Advanced Access means across all Meta platforms, see What Is Meta Advanced Access and How to Get It Approved.

Meta makes all App Review and Advanced Access approval decisions independently. Approval timelines and outcomes are determined solely by Meta. This page describes the preparation and submission process based on publicly available Meta developer documentation — it is not an official Meta service or partnership, and no outcome can be guaranteed.

Need help getting Instagram API Advanced Access approved?

The Instagram App Review process — Business Verification sequencing, per-permission screencasts, justification wording, data deletion compliance — has precise technical requirements at every step. I help Instagram API and SaaS teams prepare and submit App Review correctly the first time.