6

We have a client who has a simple Instagram feature on the site to pull photos by a certain tag. They just noticed it isn't working. Getting an error - invalid access token. I guess since the 1st because of the updates. We didn't used to need an access token since we're not doing anything with users - just tags.

Now it looks like we need one and the documentation makes zero sense on how to obtain one. And it seems like they're not accepting most apps. The app is in sandbox mode too. So I'm assuming it's because it got switched to that? Got no notification of this happening.

The first step in documentation to get an access token is "Direct the user to our authorization url." What does that even mean? There's not a link provided or anything. It also says "Company Name, Contact Email and Privacy Policy URL are required to start a submission." Our app doesn't have a privacy policy... it's just a simple tag feed. I don't understand why everything is so complex to have a simple tag feed.

Is there a wait time to get the app approved..if it gets approved... Do I have to have it approved before getting an access token? This isn't outlined anywhere.

pinksharpii
  • 527
  • 1
  • 8
  • 18

1 Answers1

9

You got it right. As of June 2016 any Instagram API calls require an access token.

Getting an access token is described in the documentation. App approval is not required.

There are two ways to get one: server-side or client-side. The second option (called implicit authentication) can only be used when implicit OAuth is enabled in the client settings (Manage Clients > Edit Client > Security > Disable implicit OAuth). It is disabled by default.

In either case you need to redirect the user to the authorization URL to obtain an access token.

The URL for explicit mode (server side) is:

https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code

The URL for implicit mode (client side) is:

https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token

After this you will be redirected to the REDIRECT-URI, which will be passed an argument. For explicit mode this will be a query string with a code, while for implicit mode you will get the access token directly as a hash:

http://your-redirect-uri?code=CODE
http://your-redirect-uri#access_token=ACCESS-TOKEN

For implicit mode you can then get the access token from the window.location.hash in Javascript.

For explicit mode, however, you need to further process the code to obtain the access token. You can read how this can be done in the API Documentation. I'm not going to take this any further here.

The problem is that every user who wants to see your feed needs to login to Instagram (and have an account) in order to view it. In your case this might not be desired. However, there are a few options to get around this (rather annoying) problem:

  1. You can reuse your own (already obtained) access token(s) to display the Instagram feed for every user. You will need to be aware of rate limits for each token. For sandboxed apps this is 500 API calls / hour, while live mode allows 5000 API calls / hour. [source] You could store tokens in a table and use them in a round-robin manner, to allow more API calls. This involves manually obtaining a bunch of tokens which your application can use (the more the better). This might not be the ideal solution considering Instagram doesn't warrant access tokens to have an unlimited lifetime.

  2. You can retreive JSON data without authentication by appending /media/ to a user page URL, as described in this post. No tokens or client IDs are required for this to work. However, this only works for users, not for tags. Besides, Instagram doesn't document this feature so it is not garanteed to work in the future.

  3. You can use an aggregator like Juicer or Dialogfeed instead which will handle access tokens for you. This is usually not free of charge.

I'm also in the process of making an Instagram feed for my website, and this is what I concluded from my research. Please bare with any errors I made.

Edit: Here are some more limitations for sandbox apps.

In sandbox mode you can only access data from sandbox users (thus users who received a sandbox invite). This means that:

  • Media retreived by user, e.g. /users/{user-id}/media/recent, will return an empty response if the user is not any of the sandbox users.
  • Media retreived by tag, e.g. /tags/{tag-name}/media/recent, will only contain tagged media belonging to sandbox users.

Thus, for a tag feed to work, it needs to be live (reviewed and approved). If you don't want to do this, the only alternative is to use an aggregator as I mentioned above.

Community
  • 1
  • 1
Midas
  • 7,012
  • 5
  • 34
  • 52
  • Thank you for your detailed comment. I got lost on step one trying to figure out what the authorization URL was because they didnt outline it on that documentation page. Regardless, it looks like we're not allowed to do this. http://grab.by/R08A Since they changed their permissions, a simple tag feed is not allowed (dumb!). Looks like we'll be going with the 2nd option and using their user feed. Thanks for pointing that out. Don't understand why they have an open endpoint for user and not tags. – pinksharpii Jun 22 '16 at 16:58
  • Please look into this : https://stackoverflow.com/questions/59052304/oauthaccesstokenexception-the-access-token-provided-is-invalid-instagram-new-api – user2028 Nov 28 '19 at 11:41