New Instagram API restrictions & how it affects Instafeed.js

[goldprismco]

UPDATE (@stevenschobert): This thread has turned into a conversation about how Instafeed.js is going to work with Instagram's new API restrictions.

Currently, new Instagram API clients are not able to fetch much of the data that Instafeed.js relied on to work, and we are evaluating options for how to handle authentication going forward. Credentials created before the API restrictions went live are not affected for now.

---

Original Post: I'm working on a client project (built on Shopify platform) and am looking to pull in their Instagram posts by user. I have it all setup - but it will not pull in my client's account. When I plug in my personal Instagram account userId & clientId, everything works perfect so I know it's not an issue with how I have it set up. Are there any known security settings that will prevent instafeed from working on a specific account? To note, the account I'm looking to pull in has a very large following.. not sure if that has anything to do with it?

Here's the set-up I have for reference (includes liquid language as used on Shopify, so just ignore that):

{% assign instafeed_img = '{{image}}' %}
{% assign instafeed_link = '{{link}}' %}
{% assign instafeed_likes = '{{likes}}' %}
{{ 'instafeed.min.js' | asset_url | script_tag }}
<script type="text/javascript">

var userFeed = new Instafeed({
    target: 'instafeed',
    get: 'user',
    userId: '260149935',
    clientId: 'xxx',
    limit: '10',
    sortBy: 'most-recent',
    resolution: 'standard_resolution',
  template: '<div class="grid__item large--one-fifth"><a href="{{ instafeed_link }}" target="_blank"><img src="{{ instafeed_img }}"><span class="likes"><span class="icon icon-heart" aria-hidden="true"></span>{{ instafeed_likes }}</span></a></div>'
});
userFeed.run();
</script>

[goldprismco]

UPDATE! Not sure why but with my client's account userId & clientId I'm getting an error: "The access_token provided is invalid". There's no access_token provided in the script, or course, as it was noted that with the recent version of instafeed this is no longer required. This error does NOT come up when I have my personal Instagram userId & clientId plugged in (and the script works and pulls in my user feed).

Thanks in advance for any insight you can provide on why this is happening & how to fix.

[123ndy]

I am also having this problem (with plain js). When I create a new Instagram client and provide the CLIENT_ID into instafeed, I get "The access_token provided is invalid". When I use a random CLIENT_ID I found on some forum, it works. I have tried with two different CLIENT_IDs I found on some forums and they both work, but none of mine newly created CLIENT_IDs work?

[stevenschobert]

This is most likely due to the new API restrictions Instagram rolled out this week: http://instagram.com/developer/changelog/

Have either of you tried to submit your new client apps to the review process?

[123ndy]

That would explain it. I will get the client app reviewed, and report back.

[stevenschobert]

@goldprismco @123ndy Just a quick update:

I tried creating a new Instagram client ID and received this same error. I'm currently waiting to submit a test application through their review process. I'm hoping they will accept it under the "share my own content" use case, but we'll have to see!

Sorry for the inconvenience folks, I wish there was something more I could do :disappointed:

[123ndy]

Seems we have to wait untill Dec 3, 2015 before they start to accept Permissions Review submissions.

[goldprismco]

@stevenschobert thanks for looking into it! Would using the access token fix this in the interim?

[stevenschobert]

@goldprismco If the token was generated before the API restrictions went into place, then it might. The same goes for client IDs.

My current understanding is that all new API credentials (including both access tokens and the client IDs they belong to) are now stuck in sandbox mode until the review process opens up.

[iljapanic]

I'm having the same issue. Token from the old API works without any issues, however the newly generated tokens don't work.

Any suggestions on how to go about solving this?

[123ndy]

@iljapanic I think we just have to wait until Dec 3 when they start to accept Permissions Review submissions.

[egardner]

I'm experiencing the same issue as well. Hoping that the Instagram API changes don't make it impossible to continue using the script in this fashion.

[bakura10]

Ouch, that sounds like a major pain change from Instagram. We were using that for Shopify too, where customers can simply enter their client ID, but I started to receive mails from people saying it does not work.

If we now must explain them that they should submit their app and wait, it will definitely be very annoying. Did anyone try if the access token suffers from the same issue?

[bakura10]

It seems though that access token retrieved from the Instafeed client (https://instagram.com/oauth/authorize/?client_id=467ede5a6b9b48ae8e03f4e2582aeeb3&redirect_uri=http://instafeedjs.com&response_type=token) properly returns an access token that seems to work (at least that's how we recommend our theme customers to get their token and so far I didn't receive any email saying that it does not work). Asking our customers to create a client, asking permissions, justifying permissions, waiting... does not seem possible tbh.

So maybe Instafeed may make sure that their client used to generate those tokens is properly being reviewed so that it can continues generate token in the future?

[stevenschobert]

Update: I submitted an application for review to Instagram earlier today, and am waiting to hear back.

I did discover that sandboxed clients can still access limited user information (if the user has been invited to the sandbox app), but only through access tokens, and only the last 20 pictures. This in theory would allow Instafeed.js to continue, but severely limits its usefulness :(

Hoping for the best everyone! Please accept my apologies, I wish there was more I could do to change the situation!

[stevenschobert]

@bakura10 Yeah, that would make sense because that client (the one for the Instafeed.js website) was created long before these restrictions were in place. So its only going to continue working until they enforce the permissions on the legacy clients as well.

[stevenschobert]

I'm going to update the title and original post of this thread, so it more accurately reflects the current situation

[bakura10]

Haha nice to hear, let us know, I hope Instagram will accept your app so I can still route our users to your website to generate an access token. Otherwise, I already feel the pain of hundreds of our theme users filling our support queue with "Instagram is not working anymore" :o.

[bakura10]

Also, in order to avoid you to have also a lot of issues, I think (unfortunately) that you should revert back your documentation to recommend using access token instead of client ID, and re-integrate your link to generate access token (I was unable to find it in your current page).

[shc023]

I also ran into this today, and while going through the process I noticed a "required step" to get approved is to "Provide a link to a video screencast showing a working Instagram Login experience in your app, as well as the usage of every permission you are requesting." and I feel that this is simply not meant for individuals to use. It seems that Instagram API now only wants to allow Platform developers to continue to use the API, instead of individual websites all implementing the API on their own. Instagram should seriously consider at least allowing the public_content scope to be retrieved without access_token, or it'll screw over every website out there that uses client-side instagram feeds.

[netgfx]

Agreed with the above post

[manatarms]

I submitted my app after the new review process went into place. All I want to do is display my images on my wesite. I asked for basic permission but got an Invalid use case issue in the review feedback not sure what that means. Instafeed is throwing an error for client not approved but for some reason Instagram allowed me to go live. So I'm not really sure whats happening and how to proceed.

Any help is much appreciated. Thanks

[manatarms]

Hey everyone, Not sure what changed but it's suddenly working again. My issue seems to have fixed itself. I will try and see what changed so I can give you'll some feedback

[themechills]

@manatarms when going through the review process, did you have to provide a link to a video screencast (screenshot below)?

[manatarms]

@themechills I just put in a link to the section showing the implemetation. Didnt really make a video screencast.

[themechills]

@themechills I just put in a link to the section showing the implemetation. Didnt really make a video screencast.

Thanks for the clarification buddy

[ImTylerPorter]

First off, thank you for a great script!

As I created my app with Instagram before their new API release, I wanted to be sure my service was uninterrupted. Placed a submission for review and was denied. All my site does is pull content from my personal Instagram feed. Curious to see how this will turn out for more instafeed.js users in the days to come.

For the future, any tips to get a passing submission would be greatly appreciated.

[Valentine-Mick]

Hi there, I've just started deving up my first new new project with a personal Instagram feed to a website since this API change has been implemented.

I've always used instafeed and sailed through now this is really irritating with the whole access token being denied.

Can I please request the final methods to those who managed to getting working? Did you have to take it out of sandbox mode for it to work even while testing etc? I hate to be pesky but until a clearer documentation I'm a little uncertain how to get a feed for testing and then for public.

Cheers

[benrlodge]

There seems to be a little confusion on this thread -

As mentioned in the instagram change log (and here https://github.com/stevenschobert/instafeed.js/issues/364), Apps created on or after Nov 17, 2015 (though they have a typo saying 2005...fail) require a valid access_token.

So technically if you can get your hands on the access_token, you can still use instafeed, but, you shouldn't. (Note - I wrote up a quick blog post on how to get an access token http://www.benrlodge.com/blog/post/how-to-generate-an-instagram-access-token)

As stated at https://www.instagram.com/developer/authentication

The Instagram API requires authentication - specifically requests made on behalf of a user. Authenticated requests require an access_token. These tokens are unique to a user and should be stored securely. Access tokens may expire at any time in the future.

So you can still access the instagram API if you can get an access_token, but you should be using it on the server-side where your access_token can't be read, not on the client-side, i.e. you shouldn't use your access_token with instafeed.js. Sorry, major bummer, I know!

If you have access to server-side code, you can just write your own custom request, but I'm afraid cool tools like instafeed.js that rely on the client-side are not going to be an option moving forward.

Long story short - Instagram is trying to get a much tighter grip on their API, and it's not going to offer the free-wheelin access it used to. http://mashable.com/2015/11/19/instagram-third-party-apps/#.L.TZRd8I5q0

[Valentine-Mick]

@benrlodge thanks for the clear up. What a bummer!

[sfrdmn]

@benrlodge Not quite true. It's the client_secret which should absolutely never be exposed to clients, not the access_token. Access tokens are tied to single users, after all. If the either the server or the client has access to the access_token, the only person it can abuse is the user him/herself (who unfortunately granted permission)

Instagram even explicitly provides a means of fetching access tokens from the client: Client Side (Implicit) Authentication

At the end of the day, whether you handle auth on the server or client, you'll still need an Instagram client to fetch that data, e.g. instafeed. instafeed could easily support both the case where it has the access token, and where it doesn't. For the latter it would just need a configurable endpoint which acts as a proxy to Instagram

Edit: It should be noted that rate limits apply per access token, not per app

Edit edit: OK well, I guess you can still get your app disabled for being spammy, but can be a caveat in the Readme for people using client side auth

[lusa]

Talking more about @sfrdmn's comment - "configurable endpoint which acts as a proxy to Instagram". So if all our app requires is public_scope (IE a random user's feed), can't we just create an endpoint with someone's access_token and then return any user's public feed from that endpoint?

Can someone just build a third party service to do this for public_scope data? That way we just make an ajax request, and the service returns our publically available data for us. Aka, A PUBLIC API. This really makes no sense that this is closed off.

Edit: According to several articles "any app that pulls in a full Instagram feed will be axed by the new restrictions". If this is true then I don't know why Instagram is providing this user endpoint at all. http://www.theverge.com/2015/11/17/9751574/instagram-app-developers-api-restrictions-security-privacy

[jscissr]

@lusa I guess the problem with building a "third party service" with a single access_token is rate limits. You would have to use caching and obtain multiple access_tokens, i.e. from every developer using the API. And then you would have to get that service approved by Instagram.

The only other option I can think of is using sandboxed mode, with all its limitations, and with the caveat that access_tokens may expire.

For now, I'm considering simply scraping Instagram's website on my server, caching the result for 30 minutes, and hoping it doesn't get blocked. Because that is actually the public API that we want. :wink:

[sfrdmn]

@lusa AFAIK, the API doesn't allow fetching random feeds at all. It only allows fetching the feeds of users who have explicitly given your app permission. I don't think it would be possible to fetch data for multiple users over a single access token. You can: have clients make requests via a server proxy where the server knows how to correlate clients to access tokens, have clients request access tokens from the server proxy and from there on do whatever, or use Instagram's client auth flow and ignore all that but create potential security issues

Sandbox mode doesn't change any of that, all it does is restrict the users from whom you can grab feeds and lowers the rate limit (woops, not sure that was right. ignore :) )

Nvm, I see what you mean now. I guess it just depends on how you want to implement your app/endpoint

[mgrn0]

Did anyone get a "just show my instagram feed on my website" permission inquiry approved so far?

[mgrn0]

I submitted my "web app" for approval yesterday, it is "just" a website showing a client's instagram feed and got denied..

Is there any way to get this solved? I am really fed up with Instagram for this new API rules, I just want to show a feed on a webpage, nothing else!

[jscissr]

@mgrn0 I think you don't need public_content for your use case, basic is enough. However I don't know if that is the only problem.

[mgrn0]

Am I wrong - if I want to fetch somebody elses feed, I thought I would need public_content ?

basic - to read a user’s profile info and media (granted by default)
public_content - to read any public profile info and media on a user’s behalf

-> https://www.instagram.com/developer/authorization/#alerts

I could ask the client to give me his login credentials once (he is technically not really skilled) to create the token but that is far from ideal..

[jscissr]

Yes, I thought you would use an access_token from your client. I understand that you want to use a different account, but maybe Instagram doesn't.

[cshold]

My app was also denied as being a simple gallery on an "About Us" page doesn't fit one of their valid uses cases:

1. to help individuals share their own content with 3rd party apps
2. to help brands and advertisers understand and manage their audience and digital media rights
3. to help broadcasters and publishers discover content, get digital rights to media, and share media with proper attribution

Seems like they don't want anyone creating Instagram galleries on external websites.

[mgrn0]

Anyone successful? Is there really nobody out there trying to set up an instagram gallery web-app?

[joeblackburn]

I had a 5 picture feed on a website get rejected for the same "Invalid Use Case". The traffic on the site is small enough that I'm going to try and use it in the sandbox mode and see if the rate limit is an issue.

[mgrn0]

The sad part of the whole situation is that a scraper is written in less then 1 hour and this kind of restrictions undermine any good will to use a proper API..

(I am not saying that anyone should write or use a scraper. I just think that Instagram's approach is way too strict and not a good one)

[baptistebriel]

I came across the same issue; I just wanted a GET response of the latest posts of a user. I had to specify the accessToken as well as the clientId.

All you have to do is enter the URL with the client_id from your app and the redirected_url: https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=token

You'll get the access_token at the end of the URL and everything should be working fine.

[mgrn0]

that's all working, but did you get the app reviewed AND approved? It's easy to get it working in sandbox mode, but I did never succeed with the new review process.

[baptistebriel]

Wow? We still need to look into that and do the whole process. I'm still using the sandbox version. But does that means it's currently NOT possible to use Instafeed.js with an approved app? Will get back here if we I have any news on my side. Thank you, @mgrn0

[bakura10]

For now it seems that retrieving the access token from Instafeed still works.

From what I understand, it is actually Instafeed that must manage to make their app to be accepted. If that works, then we can still use Instafeed to get our access token.

But I may be wrong? In all cases, Instagram sucks on this thing...

Envoyé de mon iPhone

Le 11 janv. 2016 à 19:15, Baptiste Briel notifications@github.com a écrit :

Wow? We still need to look into that and do the whole process. I'm still using the sandbox version. But does that means it's currently NOT possible to use Instafeed.js with an approved app? Will get back here if we I have any news on my side. Thank you, @mgrn0

— Reply to this email directly or view it on GitHub.

[mgrn0]

As far as I understood we all have to get our own access tokens and instafeed is just the tool, so everybody would have to get his own app/website/gallery (with or without using instafeed, does not matter) approved by Instagram.

Or am I wrong?

[bakura10]

I think you're wrong. It seems that all the apps just to get an access token are rejected by Instagram. But if Instafeed client alone managed to be accepted, then this one will be able to generate access token for our own accounts.

Envoyé de mon iPhone

Le 11 janv. 2016 à 19:42, mfruehman notifications@github.com a écrit :

As far as I understood we all have to get our own access tokens and instafeed is just the tool, so everybody would have to get his own app/website/gallery (with or without using instafeed, does not matter) approved by Instagram.

Or am I wrong?

— Reply to this email directly or view it on GitHub.

[kokarn]

No, every single developer needs an approved app on Instagram for this to work outside of sandbox.

[mgrn0]

Thanks @kokarn, just what I suspected (unfortunately).