Instagram Platform

Long-Lived Access Tokens

By default, Instagram User Access Tokens are short-lived and are valid for one hour. However, short-lived tokens can be exchanged for long-lived tokens.

Long-lived tokens are valid for 60 days and can be refreshed as long as they are at least 24 hours old but have not expired, and the app user has granted your app the instagram_graph_user_profile permission. Refreshed tokens are valid for 60 days from the date at which they are refreshed. Tokens that have not been refreshed in 60 days will expire and can no longer be refreshed.

Limitations

  • Expired short-lived tokens cannot be exchanged for long-lived tokens. If the user’s token has expired, get a new one before exchanging it for a long-lived token.
  • Requests for long-lived tokens include your app secret so should only be made in server-side code, never in client-side code or in an app binary that could be decompiled. Do not share your app secret with anyone, expose it in code, send it to a client, or store it in a device.

Get a Long-Lived Token

Use the GET /access_token endpoint to exchange a short-lived Instagram User Access Token for a long-lived token. Once you have a long-lived token, you can use it in server-side requests or send it to the client for use there.

Your request must be made server-side and include:

  • A valid (unexpired) short-lived Instagram User Access Token
  • Your Instagram App Secret (App Dashboard > Products > Instagram > Basic Display > Instagram App Secret)

Refer to the GET /access_token reference for additional information.

Sample Requests

curl -i -X GET "https://graph.instagram.com/access_token
  ?grant_type=ig_exchange_token
  &client_secret={instagram-app-secret}
  &access_token={short-lived-access-token}"

Sample Response

{
  "access_token":"{long-lived-user-access-token}",
  "token_type": "bearer",
  "expires_in": 5183944  // Number of seconds until token expires
}

Refresh a Long-Lived Token

Use the GET /refresh_access_token endpoint to refresh unexpired long-lived Instagram User Access tokens. Refreshing a long-lived token makes it valid for 60 days again. Long-lived tokens that have not been refreshed in 60 days will expire.

Long-lived access tokens for private Instagram accounts cannot be refreshed. In addition, if an app user switches their account from public to private, their token will be invalidated and a new token must be requested.

Your request must include:

  • A valid (unexpired) long-lived Instagram User Access Token

Refer to the GET /refresh_access_token reference for additional information.

Sample Requests

curl -i -X GET "https://graph.instagram.com/refresh_access_token
  ?grant_type=ig_refresh_token
  &access_token={long-lived-access-token}"

Sample Response

{
  "access_token":"{long-lived-user-access-token}",
  "token_type": "bearer",
  "expires_in": 5183944 // Number of seconds until token expires
}