Security Best Practices

System users and access tokens are used for authentication of your servers or software making API calls to assets owned or managed by a Business Manager.

It's important to follow security best practices working with system users and access tokens. Access Token Debugger tool is helpful to see token details like expiration, type, app ID, etc.

Manage System User Access Token Permissions

Multiple permissions are available for system users when generating an access token. Example permissions are: ads_management, business_management, manage_notifications, pages_read_engagement, and more.

Each permission will allow your app to read, write information, or perform certain actions. You should restrict the access token permission scope by only assigning permissions that are required.

For example, only two permissions are typically required for Instagram Shopping integration: manage_pages for Order Management API and ads_management for Catalog API (optional).

Once the system user has this permission, the system user access token can be used to retrieve the page access token.

Manage System User Tasks

A system user can have these task access levels for an asset like a page, ad account, or product catalog: ['MANAGE'], ['CREATE_CONTENT'], ['MODERATE'],['ADVERTISE'] and ['ANALYZE'].

The access type can be specified in the Business Manager settings.

You should restrict the page access type to ['CREATE_CONTENT'] for the Instagram Shopping integration.

Admin System Users vs System Users

System users represent servers or software making API calls to assets owned or managed by a Business Manager. The easiest, quickest way to create a System User is in the Business Manager tool.

There are two types of system users: admin system user and system user. An admin system user can create system users, assign permissions, and more. System user can only access the assets they have permission for.

Give system users access to assets and use system users for most API calls. You should limit using admin system user for administrative actions such as assigning permission. Since it has the most permissions, you should carefully safeguard the admin system user token.

See more information here.

Safeguard Access Tokens

You should carefully safeguard the product system user and page access tokens. Store them in a secure location and do not share with anyone in plaintext.

You should not allow using a test page access token to call API for a production page. You can create two system users - one for test, and one for production.

Note: Your app has a certain access level. This determines how many system users you can create for the Business Manager that owns your app:

Level System Users Admin System Users










Rotate Access Tokens

It's a good practice to rotate system user access tokens periodically.

You may invalidate all access tokens of a system user by sending a DELETE request to the endpoint:

Graph API Explorer
curl -X DELETE -G \
  -F 'access_token=<ACCESS_TOKEN>' \{APP_SCOPED_SYSTEM_USER_ID}/access_tokens
/* PHP SDK v5.0.0 */
/* make the API call */
try {
  // Returns a `Facebook\FacebookResponse` object
  $response = $fb->delete(
    array (),
} catch(Facebook\Exceptions\FacebookResponseException $e) {
  echo 'Graph returned an error: ' . $e->getMessage();
} catch(Facebook\Exceptions\FacebookSDKException $e) {
  echo 'Facebook SDK returned an error: ' . $e->getMessage();
$graphNode = $response->getGraphNode();
/* handle the result */
/* make the API call */
    function (response) {
      if (response && !response.error) {
        /* handle the result */