Instagram Graph API: How to Get Access and a Token for Stats

Any external Instagram analytics — your own dashboard, a script, a ready-made self-hosted product — starts with the same thing: an access token for the Instagram Graph API. Getting it isn't hard, but the Meta for Developers interface is confusing, the terminology changes every year, and half the guides online describe the old, deprecated Basic Display API. Below is the current, step-by-step path to a working token with stats access, plus a breakdown of common errors.

What the Graph API gives you, and what it doesn't

The Instagram Graph API is the only legal way to pull an account's internal stats programmatically: reach, impressions, saves, shares, follower growth, audience demographics. These are the same numbers you see in the app's built-in stats, but through the API you can pull them daily, accumulate them, and build your own reports.

Important limits: the API returns stats only for your account (or accounts you've been granted access to) — you can't "check a competitor's metrics" through it. And it works only with professional accounts.

Step 1: switch your account to Business or Creator

Personal accounts don't return stats through the API — that's a Meta restriction. To switch: Instagram → Settings → Account type and tools → Switch to professional account. It's free and takes two minutes. For a business, choose Business; for creators, Creator — both work for API stats.

A tip from practice: link your Instagram to a Facebook Page. For some access scenarios it's mandatory, and even where it isn't, the link makes API behavior more predictable.

Step 2: create an app in Meta for Developers

1. Go to developers.facebook.com under your Facebook account.
2. My Apps → Create App.
3. At the use-case selection step, choose "Manage messaging & content on Instagram" — this is the option that opens access to the Instagram API for working with content and stats. Don't pick "Other"/"None": you'd then have to add the required products by hand.
4. Fill in the app name and contact email, and create the app.

An "app" here is just a container for access rights and tokens. You don't need to put it through App Review for personal use: in development mode it works fully with accounts that have a role in it.

Step 3: add the instagram_business_manage_insights permission

Permissions define what the token can do. The key one for stats is instagram_business_manage_insights: it opens the insights endpoints for the account and for individual posts (reach, saves, shares, demographics, follower growth).

In the app settings, open the Instagram → API setup section, connect your Instagram account to the app, and make sure instagram_business_manage_insights is checked when generating the token. If you also plan to publish through the API later, add the relevant content permissions, but for analytics, insights is enough.

Step 4: generate the access token

In that same Instagram → API setup section there's a button to generate a token for the connected account. You click it, confirm the permissions in the Instagram window, and get a long string like IGAA.... That's your access token.

What you need to know about token lifetimes:

Token type	Lifetime	Note
Short-lived	~1 hour	Issued by default in some flows
Long-lived	~60 days	Obtained by exchanging a short-lived one, or directly in API setup
Refreshed long-lived	+60 days	Refreshed with a request to refresh_access_token

Practical takeaway: grab a long-lived token right away and set a reminder (or automation) to refresh it every 1.5–2 months. "The dashboard suddenly stopped updating" means an expired token in 9 cases out of 10.

Step 5: check the token with a single request

Before pasting the token anywhere, check it in the terminal:

curl "https://graph.instagram.com/me?fields=id,username&access_token=YOUR_TOKEN"

If your username comes back, the token is alive. Next, check insights:

curl "https://graph.instagram.com/me/insights?metric=reach&period=day&access_token=YOUR_TOKEN"

Numbers in the response mean the stats permission works and you can connect your analytics.

Common errors and how to fix them

Symptom	Cause	Fix
(#10) Permission denied on insights	Missing instagram_business_manage_insights	Regenerate the token with this permission
Invalid OAuth access token	Token expired or copied with a space	Generate a new one, copy it in full
Empty demographics	Fewer than ~100 followers	A Meta limit; wait for the account to grow
API doesn't see the account	Account is personal, not Business/Creator	Switch the account type (step 1)
A metric returns an error	The metric isn't available for this media type or period	Check the metric list for the media type in the docs
Everything worked, then broke after 2 months	The long-lived token expired	Refresh via refresh_access_token, set up automation

Where to put the token: a ready dashboard instead of homemade scripts

A token by itself is just a pass. To get value from it, you need a system that pulls metrics daily, accumulates history, and draws reports. If you don't want to write it yourself, there's the free open-source Instagram Dashboard by MaxICo Labs: self-hosted, deployed via Docker in 10 minutes, with the token pasted right in the interface — go to ⚙ Settings, paste the IGAA... string, and the dashboard starts collecting KPIs, per-post ER%, follower growth with Reels markers, and demographics. No editing config files on the server; all API routes are protected by auth, and the token is stored only in your own storage. See the live demo: inst-dashbord.maxicolabs.com.

What an agency with multiple clients should do

If you manage several accounts, don't try to serve them all with one token — each client account has its own token with its own rights. The workflow: the client adds your account to their Meta app (or you create the app and give the client a role), you generate a separate token per account, and store them in isolation. That way revoking one token doesn't affect the rest of your clients, and when a collaboration ends, access is closed with one click.

Token security: three rules

An access token with insights permission is full access to your account's stats. Treat it like a password:

1. Never commit the token to git. The classic mistake: token in a config, config in a public repo, found by scanners within an hour. Keep the token in .env, and .env in .gitignore. In ready-made products like Instagram Dashboard this is the default: secrets structurally don't make it into the repo.
2. Don't paste the token into third-party "free checkers." "Check your token online" sites are the easiest way to leak it. Verify it via curl from your own terminal or through the official Access Token Debugger in Meta for Developers.
3. If the token is compromised, revoke it immediately. In the app settings you can invalidate tokens and generate new ones. If a token showed up in a screenshot, CI logs, or a public repo — consider it leaked and rotate it, "just in case" included.

And separately on storage: if your dashboard is self-hosted, the token sits on your server and goes nowhere. If you hand the token to a SaaS service, you're effectively trusting your account's stats to someone else's infrastructure. That's a fine trade-off, but it should be a conscious one.

Summary

The whole path — Business account → app in Meta for Developers → "Manage messaging & content on Instagram" use case → instagram_business_manage_insights permission → long-lived token → check via curl — takes 10–15 minutes if you follow the steps and don't confuse the current Instagram API with the old Basic Display. The most common cause of problems isn't bugs in your code, but expired tokens and a missing permission.

From there you can hand the token to the free Instagram Dashboard and get full analytics without a line of code. And if your business needs more — integrating Instagram data into your own reporting, end-to-end analytics, or other AI solutions for business — the MaxICo Labs team can help. Start with a free 30-minute AI audit: maxicolabs.com/contact.