How can I get my app using Instagram Basic Display API pass app review?

Question

This is now the 4th time I am sending my app for review. I want to use Instagram Basic Display API and therefore require instagram_graph_user_media permission to access media (and incidentally instagram_graph_user_profile). I have 2 test users, my personal IG account with a bunch of pics and a test user that I created with an empty feed. I can login with both users. But when the Instagram app reviewer is logging in, my app can't access their media. I successfully retrieve the access token but when comes the time to call the Graph API here is what happens:

https://graph.instagram.com/me/media?fields=media_type,media_url,permalink,thumbnail_url&access_token=IGQV....

returns

{"error":{"message":"Application does not have permission for this action","type":"IGApiException","code":10,"fbtrace_id":"A99vuaAC41DSvlt0Hxvcly-"}}

Answer 1

Here is an update from my latest app review rejection. This time, I added the code above to catch code 10 errors and if I did, try to fetch the user profile data. Guess what, that failed with a code 10 error as well. So, whatever the app reviewer is doing, it is granting access to neither the profile or the media API.

Another update. The reviewer I had this time sent me two screenshots, one of the Instagram login screen and one of my app's error screen. Interestingly, the Instagram login screen had a strange Instagram username that I have never heard of before. It certainly wasn't my test Instagram account. So I now have evidence of them both using my test account and their own special test accounts.

The question in my mind now is, is there something special about their test accounts that ruins the process? After all, I have not added them to be testers of my app, although if someone who hasn't accepted my test invite tries to log in, it errors in an entirely different way.

I am running out of ideas here. My next thing to try is to exchange the short-lived access token for a long-lived token, as well as trying to use the new access token to server-side (where I exchange the code for the access token) to check if the access token ever works or if it is created with insufficient access.

This whole process is a nightmare.

Answer 2

I will put this as an answer because we have dealt with this thing now for over 2 weeks and quite a few submissions. I think you should remove the bounty though.

What you have done so far:

• Created and approved IG test accounts
• Double and triple checked parameters & permission
• Tested your app a dozen times
• Created dozens of screencast spoon-feeding, making sure a 5 yo kid would be able to test your app

Having the above, I am sure you noticed:

• The reviewer will add a generic text as 'reject reason.'
• The reviewer will submit the irrelevant and out-of-scope screenshot(s)
• The reviewer will not test with the Instagram credentials provided.
• Maybe he WILL test with the Instagram test credentials provided (in fact you're left in the dark as to how they actually simulate IG access)
• The reviewer will claim he's unable to sign in using provided credentials
• The reviewer claims having tested, but you see no traces in your DB whatsoever (would be smart to do so, to know whether they're actually doing something or not, up to a certain point)

Conclusion

You have to know that your app is at the reviewer's mercy and approval sometimes arbitrarily. Eventually, you will find your app being approved while having submitted it to change at all.