App used by Trump adviser is temporarily suspending services after reported hack (reuters.com)

After spending a few months building out a new project that relies on the Instagram Graph API I'm struggling to pass Meta's Access Verification for Tech Providers.

We passed the app verification and business verification fairly easily, but we're stuck getting access verification. It feels like Meta is automatically denying us access without telling us explicitly what they are looking for or what we are missing from our answers. We keep getting knocked back with the same reply asking for:

   1. Add details about how your business will use Platform Data (i.e., any info or data you obtain from us) to enable a product or service on behalf of your clients.

   2. Describe how your clients use your product or service.

All we really need is to use Instagram OAuth to retrieve the username from the authorised user. My replies have gone into depth explaining this to Meta, including how we use the username (we save it against a user model in our database) and instructions for users to delete their accounts. But nothing seems to be enough.

Has anyone had experience with this and can shed some light on what I might be doing wrong?

Thanks!

Comments (10)

vintagedave · 4h ago

Upvoting because you're struggling with a faceless megacorp.

> how we use the username (we save it against a user model in our database)

But what are you doing with that data? If I got that explanation, I'd ask again too. From what you wrote, I have no idea why you use IG, why you even need usernames, and definitely not how they are used after they are saved against other data.

ryandrake · 3h ago

Sounds like a good avenue to explore would be: If you did not have this access, how would your product fail to achieve its use cases? If you can answer this, then you can probably provide the information they are asking for.

And NOT the technically correct answer of "The product would fail to use Instagram OAuth to retrieve the username from the authorised user." Think about why the username is needed in the first place.

stephenbez · 3h ago

Yeah, at least in this post the OP talks about the technical details, but if they are not explaining what the purpose of the product is, and why users would use it, I could see that getting rejected.

hipgrave · 2h ago

Fair point. I didn't want to paste the whole reply because it would be a wall of text but here is my latest desperate attempt for reference. I'm obviously open to any suggestions for edits:

Our app is used to authenticate users—specifically musicians—via the Instagram OAuth flow. We request access only to the instagram_business_basic permission and retrieve minimal public profile data, specifically the Instagram username. This information is used solely to associate an Instagram account with the corresponding user profile in our platform's database for identity verification purposes.

Our role as a Tech Provider is limited to enabling musicians to link their verified Instagram accounts as a form of professional identity on our platform. This helps to ensure authenticity and trust among users, particularly industry professionals engaging with our artist-focused services.

We do not collect, store, or process any private Instagram data. We do not publish content, provide analytics, or perform automated actions on behalf of users. The data retrieved is strictly limited to the public username field and is never shared with third parties.

The user journey is as follows:

1. The user visits [REDACTED] and clicks the Connect Instagram button.

2. They are redirected to the official Instagram OAuth dialog to authorize access to their public profile.

3. Upon successful authentication, they are redirected back to our app, which then makes a request to the Instagram Graph API endpoint https://graph.instagram.com/me using the access token.

4. We extract the username field from the response and associate it with the user’s profile in our database to complete the verification process.

Users have full control over their accounts and data. If a user wishes to remove their account and associated data from our platform, they can follow the instructions provided here: [REDACTED].

This implementation strictly follows Instagram's platform guidelines and privacy principles by minimizing data usage, requiring explicit user authorization, and ensuring transparency and user control.

1. How our business uses Platform Data to enable a product or service for our clients:

[REDACTED] uses Instagram Data to show that content on our platform has been provided by an official source.

More detailed info:

Our platform, [REDACTED], provides a service that allows musicians to authenticate their identity by linking their Instagram accounts. This process utilises the Instagram OAuth flow to obtain the instagram_business_basic permission, specifically retrieving the public Instagram username.

The data retrieved is used exclusively to associate an Instagram account with a user's profile on our platform, facilitating identity verification for musicians. This process ensures that the musicians' profiles are authentic and trusted by users engaging with our services.

Our role as a Tech Provider is to enable musicians to link their verified Instagram accounts as a form of professional identity on our platform. This helps to ensure authenticity and trust among users.

2. How our clients use our product or service:

Our clients are musicians with published music releases that the [REDACTED] service ties to additional content uploaded via our platform, including sleeve art image files, appropriate links and other contextual content. Our clients then share their profile and content with their fan base communities on social media, for users to experience an enhanced music release experience.

More detailed info:

Our clients are musicians who utilise our platform to manage their professional presence. By linking their verified Instagram accounts, they can:

Enhance their profile's credibility and visibility to industry professionals.

Provide a verified link to their public Instagram profile, showcasing their work and engagement with their audience.

Utilise our platform's features to manage their professional identity and interactions within the music industry.

This integration allows musicians to maintain a consistent and verified online presence, fostering trust and recognition within the industry.

Additional Information:

Data Handling: We do not collect, store, or process any private Instagram data. The data retrieved is strictly limited to the public username field and is never shared with third parties.

User Control: Users have full control over their accounts and data. If a user wishes to remove their account and associated data from our platform, they can follow the instructions provided here: Delete your artist account.

Compliance: This implementation strictly follows Instagram's platform guidelines and privacy principles by minimizing data usage, requiring explicit user authorization, and ensuring transparency and user control.

nikolas- · 1h ago

I've previously gone through review for IG basic + messaging permissions, it took several months of constant submissions to get approved. I'm not sure if their process has changed (got approval ~1 year ago), but we quickly realized Meta's entire review team has been outsourced to external contractors that just don't care. We'd get random rejections relating to functionality and check access logs to discover they hadn't even opened the app.

What ended up working for us was just keeping consistent & simple responses to the usage questions, and whenever we received a rejection with a valid concern, we'd address it at the top of our existing response with something like "In response to the latest rejection: ...". Unfortunately it seems unless you get a competent reviewer, you're out of luck, so just keep submitting as soon as rejection comes in and eventually you'll get through.

hipgrave · 1h ago

Thanks, and congratulations on getting through. Unfortunately they now have something in place whereby after X number of attempts (7 for me) they lock you out of applying for 90 days! I actually made a new business on Meta to try and submit again faster and have been locked out twice now.

snowwrestler · 2h ago

We recently built out a simple web app and eventually just gave up on Login with Facebook. It was by far the most complex and inscrutable process of all the platforms, with at least one step obviously broken. So now when you go to create an account in our app, your options are:

- Continue with Google

- Continue with Apple

- Continue with LinkedIn

- Username/password

My totally uninformed, vibe-based reading of the situation is that Meta no longer prioritizes, or maybe even is actively sunsetting, 3rd party integrations that access any Meta user data.

hipgrave · 2h ago

I get that impression too. To make matters worse, when I tried to send a developer support ticket to reach out it wouldn't even send, just kept showing a generic "couldn't send try again later" error.

hariwb · 2h ago

Commenting because I went through this maddening and incomprehensible process last year and got rejected a bunch as well. The thing that I believe worked for me was that I completed domain verification via my business manager account (which was also a journey in and of itself). Once that came through, my Tech Provider application was approved within the next day or two.

hipgrave · 1h ago

Thanks, I will try that!