MallGuide Platform

Appearance

Social Feed Integration Findings (2026-03-03)

Goal

Build a webapp feed that combines social posts from mall/street brands into one thread.

Clarified Product Direction

  • Initial assumption was full API ingestion from Instagram/Facebook/X accounts.
  • Clarified requirement: brands will not onboard/authorize.
  • Current practical direction: embed public posts (primarily by URL), then render in one unified thread in the app UI.

What Was Tested

  • Multiple Meta Graph API user tokens were validated with:
    • GET /me?fields=id,name
    • GET /me/permissions
    • GET /me/accounts?fields=id,name,instagram_business_account{id,username,name}
  • Direct page checks were run with:
    • GET /{page-id}?fields=id,name,category,instagram_business_account{id,username,name}
    • GET /{page-id}?fields=id,name,access_token (to verify page-level token access)

Main Findings

  • Token/account mismatches were frequent (same display name, different Facebook IDs).
  • Accounts Center connection alone did not produce instagram_business_account in API responses.
  • Page linkage must be real and visible in Graph API on the target page object.
  • Even when page object access worked, instagram_business_account remained absent in checks, meaning IG linkage was not active at API level for that page/token state.
  • GET /me/accounts was often empty for the active token/account combination, indicating no visible page-admin relationship for that token flow.

Token and Access Problems Encountered

  • Invalid token sessions:
    • OAuthException code 190, subcode 467 (session is invalid because the user logged out).
  • Missing permissions on new tokens:
    • instagram_basic absent in many generated tokens.
    • Only pages_show_list, pages_read_engagement, public_profile granted in several attempts.
  • App role confusion:
    • Duplicate app role identities with one Pending, one active.
    • Role acceptance state affected whether expected permissions/options appeared.
  • Page identity confusion:
    • Multiple page/profile IDs were tried.
    • Some IDs returned code 100 / subcode 33 (unsupported get request or no permission).

Security Incident Notes

  • Access tokens and account credentials were pasted during troubleshooting.
  • Action required:
    • Rotate all exposed passwords.
    • Revoke/regenerate all exposed tokens.
    • Remove stale app roles/invites to reduce account confusion.

Platform Feasibility for "No Brand Approval"

  • Instagram/Facebook:
    • Full automated latest-post aggregation from arbitrary public accounts is not a reliable official API path without account-level cooperation.
    • Embedding known public post URLs is the safer practical approach.
  • X:
    • Embeds for public posts/timelines are available, but still subject to platform policies and display rules.
  • Store references, not harvested post bodies:
    • { platform, post_url, brand_id, mall_id, street_id, added_by, created_at }
  • Render official embeds in a unified thread component.
  • Add product features at app layer:
    • ordering, filters, tags, moderation flags, search metadata.
  • For Instagram specifically:
    • use curated post URLs (manual/admin-assisted) unless brand OAuth is later introduced.

Operational Checklist (When Re-testing Meta API)

  • Verify identity:
    • GET /me?fields=id,name
  • Verify scopes:
    • GET /me/permissions
  • Verify page visibility:
    • GET /me/accounts?fields=id,name
  • Verify page linkage:
    • GET /{page-id}?fields=instagram_business_account{id,username}

Success Criteria

  • For API ingestion path:
    • Target page appears in /me/accounts.
    • instagram_business_account is returned on the page object.
  • For no-approval embed path:
    • Feed renders reliably from stored public post URLs across target platforms.