Instagram Webhook

An Instagram Webhook is a signed HTTP POST that Meta sends to a developer-controlled URL whenever a subscribed event happens on a connected Instagram account — typically a new comment, a new message, a mention, or a story insight update. Webhooks are the trigger that turns a creator's organic activity into a real-time automation.

The flow is: the app subscribes to events via the Graph API (POST /{app-id}/subscriptions with fields like comments, messages, mentions). Meta POSTs JSON to the configured callback URL. The payload includes X-Hub-Signature-256: sha256=<hex>, an HMAC-SHA256 of the raw body keyed on the app secret. The server must verify the signature against the unparsed body (any JSON re-serialization breaks the hash), respond 200 within roughly 5 seconds, and process the event asynchronously.

Why the contract is strict

Meta retries failed deliveries on exponential backoff but eventually marks the webhook unhealthy and disables the subscription. A 200 acknowledges receipt — not success — so the receiver must enqueue work and return fast. Inline DM sending inside the webhook handler is a classic mistake that causes Meta to time out the callback and double-deliver.

Gotchas

• Outbound DMs the app itself sends arrive back as messages events with is_echo: true. Filter these or you'll infinite-loop on your own replies.
• The signature must be computed on the exact byte sequence of the body. ASGI frameworks that parse JSON before exposing the body to middleware will silently produce mismatched hashes.
• For comment events, the payload carries the comment ID but not the parent comment text — you must call back to the Graph API to fetch context.
• Webhook subscriptions are app-scoped, not user-scoped — every connected account's events flow through the same callback URL.

For HMAC verification with FastAPI or Express examples, see how to automate Instagram DMs legally.