It's important to follow security best practices working with system users and access tokens. Access Token Debugger tool is helpful to see token details like expiration, type, app ID, etc.
Multiple permissions are available for system users when generating an access token. Example permissions are:
publish_pages, and more.
Each permission will allow your app to read, write information, or perform certain actions. You should restrict the access token permission scope by only assigning permissions that are required.
For example, only two permissions are typically required for Instagram Shopping integration:
manage_pages for Order Management API and
ads_management for Catalog API (optional).
Once the system user has this permission, the system user access token can be used to retrieve the page access token.
A system user can have these task access levels for an asset like a page, ad account, or product catalog:
The access type can be specified in the Business Manager settings.
You should restrict the page access type to
['CREATE_CONTENT'] for the Instagram Shopping integration.
System users represent servers or software making API calls to assets owned or managed by a Business Manager. The easiest, quickest way to create a System User is in the Business Manager tool.
There are two types of system users:
admin system user and
system user. An
admin system user can create
system users, assign permissions, and more. System user can only access the assets they have permission for.
system users access to assets and use
system users for most API calls. You should limit using
admin system user for administrative actions such as assigning permission. Since it has the most permissions, you should carefully safeguard the admin system user token.
See more information here.
You should carefully safeguard the product system user and page access tokens. Store them in a secure location and do not share with anyone in plaintext.
You should not allow using a test page access token to call API for a production page. You can create two system users - one for test, and one for production.
Note: Your app has a certain access level. This determines how many system users you can create for the Business Manager that owns your app:
|Level||System Users||Admin System Users|
It's a good practice to rotate system user access tokens periodically.
You may invalidate all access tokens of a system user by sending a
DELETE request to the endpoint: