Long-Lived Access Token

A Long-Lived Access Token (LLAT) is the 60-day OAuth token Meta issues to apps that need persistent access to an Instagram Business or Creator account. It is the token a comment-to-DM platform stores in its database and presents on every Graph API call made on a creator's behalf.

The lifecycle has three stages. (1) OAuth completes and you receive a short-lived token (~1 hour). (2) Exchange it via GET /access_token?grant_type=fb_exchange_token for a long-lived token (60 days). (3) Refresh before expiry by calling GET https://graph.instagram.com/refresh_access_token?grant_type=ig_refresh_token&access_token=<current> — the response carries a new 60-day token. Tokens are refreshable any time after they are 24 hours old; if they go 60 days untouched, they expire and cannot be revived without re-doing the OAuth handshake.

Operational pattern

Production platforms run a background job daily and refresh any token older than 50 days. Cutting it closer than that risks edge cases — network blips, partial outages, or worker failures that delay the refresh past day 60. Tokens are encrypted at rest (Fernet is a common choice) and decrypted only at call time, never logged.

Gotchas

• Refreshing a token returns a new string. The old one keeps working briefly but should be considered stale — replace it atomically in your database before the next API call.
• A user changing their password, revoking app permissions in Settings, or deauthorizing via the Facebook Business Settings invalidates the token immediately — the next call returns error code 190 ("Invalid OAuth access token"). Workers should treat 190 as a hard signal to mark the account inactive and prompt re-auth, not retry.
• Tokens are scoped to the granted permissions; adding new product features that need extra permissions requires the user to re-consent — refresh alone won't add scopes.

For the broader API surface the LLAT unlocks, see Instagram Graph API.