Developer · Meta App Review
Permission Documentation
Meta App Review · Instagram Graph API · v1.0
Introduction
This document contains detailed written justifications for the three Instagram Graph API permissions requested by Bandeira, supporting the formal Meta App Review submission process. Click each permission tab above to view the four required answers in the format specified by Meta Developer Platform.
About Bandeira
Bandeira Tecnologia LTDA
B2B SaaS platform headquartered in São Paulo, Brazil, helping political mandates, candidates, parties and political organizations coordinate authorized content republication across networks of consenting Instagram Business accounts.
Authorized network coordination
Each Supporter signs an electronic Authorization Term — with hash, IP, timestamp, and SMS confirmation — explicitly granting the Client the right to republish content from authorized Origin accounts to the Supporter's Destination account, within strict operational limits.
Compliance-by-design
Visible attribution, daily caps, blackout windows, randomized timing, human approval, AI content filtering, immutable audit trail, self-service revocation. Not promises in policy — technical enforcement in code.
Permissions overview
| Permission | Type | Purpose | Required for |
|---|---|---|---|
| instagram_business_basic | Required | Read basic public profile information of authorized accounts and capture posts from authorized Origin accounts | Account verification, editorial workflow |
| instagram_business_content_publish | Required | Publish approved content to authorized Destination accounts with mandatory visible attribution | Core platform functionality |
| instagram_business_manage_comments | Optional | Moderate comments on Bandeira-published posts, when explicitly authorized by Supporter through separate consent | Comment moderation feature (Supporter opt-in) |
Compliance commitments enforced technically
Visible attribution
Every republication includes "via @original_account" prepended to the caption. Server-side enforced, cannot be disabled by Clients.
Daily cap & blackout
Maximum 3 publications per Supporter account per 24 hours. Mandatory blackout 10 PM to 7 AM Brasília time.
Randomized timing (jitter)
5-45 minute jitter on scheduled publications to avoid simultaneous posts that would indicate coordinated inauthentic behavior.
Human approval required
Every individual publication requires editorial approval by Client. No "publish all" or "auto-publish" option exists.
AI pre-publication filter
Every post analyzed for defamation, hate speech, deepfake indicators, and electoral law violations. Flagged content requires explicit secondary approval.
Self-service revocation
Supporters can revoke authorization at any time via personal panel. New publications stop within 24 hours; personal data deleted within 15 days.
Bandeira uses the instagram_business_basic permission to read basic public profile information of Instagram Business accounts that have explicitly authorized participation in a Client's coordinated network through our platform. This permission is fundamental for the operational functioning of the platform and is used in two specific contexts.
First, when a Supporter (the individual who owns an Instagram Business account) connects their account to Bandeira through the official Meta OAuth flow, we use this permission to read the account's public profile information: username, profile picture URL, biography, account ID, and account category (Business or Creator). This information is displayed in the Client's administrative panel so that the Client can verify which authorized Supporters are part of their network and confirm that the connection is correctly established.
Second, when content is captured from authorized Origin accounts (typically the Client's own account or accounts of authorized political allies), we use this permission combined with the read scope of media to access the post identifier, media URL, caption text, timestamp, and basic engagement metrics (likes count, comments count). This data is essential to populate the editorial queue where the Client reviews and approves which posts will be republished across the Destination accounts.
We make these API calls at low frequency: typically 1-3 times per hour per authorized account during normal operation, with rate limiting implemented on our backend to never exceed Meta's published rate limits. We cache responses for at least 15 minutes to minimize redundant calls. We do not use this permission to access private information, direct messages, follower lists, or any data outside the basic public profile and posts that the account itself has already published publicly.
This permission is essential and not replaceable for the core functioning of Bandeira. Without it, the platform cannot operate at all. Three specific reasons explain why.
First, identity verification of authorized accounts is mandatory for our consent and audit framework. When a Supporter signs the Authorization Term and connects their account, we need to verify and persistently log which exact Instagram Business account was authorized. The username and account ID provided through this permission are the only reliable way to do this — relying solely on user-provided text would create vulnerability to typos, spoofing, and authorization fraud. Our consent audit logs (retained for 5 years per Brazilian electoral law) require this verification.
Second, the Client must be able to verify their own network in the panel. Clients pay between R$899 and R$80,000 per month for Bandeira services and need to see which Supporters have actually completed the authorization flow versus those who received invitations but have not yet authorized. Without basic profile reading, we cannot show this information, and Clients have no way to verify their service is delivering as expected.
Third, the editorial workflow requires reading post content from authorized Origin accounts. Bandeira does not generate content — it organizes the republication of content that the Origin account has already published publicly on Instagram. To present this content for editorial review and approval, we must read it via Graph API. There is no alternative method that respects Meta Platform Terms and provides reliable, structured access to public posts of authorized accounts.
We considered and rejected alternatives. Manual entry of post URLs by Clients would create excessive friction and human error. Web scraping is explicitly prohibited by Meta Platform Terms and is not technically reliable. Webhook-only approaches are insufficient because Bandeira needs to retrieve historical posts, not just new ones.
This permission directly benefits the three categories of users on our platform.
Supporters benefit because they receive a transparent, auditable, and revocable mechanism to participate in political communication networks they believe in. Without our platform, a Supporter who wants to amplify a political mandate they support typically has two options: manually copy-paste content (which is tedious, inconsistent, and produces obvious coordinated content patterns that violate Meta Platform Terms) or grant informal verbal permissions to campaign staff (which lacks any formal documentation and creates security risk for both parties). Bandeira gives them a formal, legally recognized framework with audit trail and self-service revocation. The basic profile reading allows their participation to be visible and verifiable in their personal panel.
Clients benefit because they can finally operate political communication networks within a compliant, documented framework instead of relying on informal coordination over WhatsApp or face-to-face that creates legal risk under Brazilian electoral law and is increasingly scrutinized by Brazilian courts. The basic profile reading enables them to manage their network with transparency and accountability.
The broader platform ecosystem benefits because Bandeira represents a model that distinguishes itself from coordinated inauthentic behavior. Each authorized account is verified, each Supporter signs explicit consent, every republication includes mandatory visible attribution to the original author, and human approval is required before publication. By providing a structured pathway for legitimate political amplification with full transparency, Bandeira reduces incentives for opaque, problematic coordination methods that threaten platform integrity.
Users are informed about this data usage at multiple touchpoints: the consent screen before OAuth, the Authorization Term they sign electronically, the welcome email after authorization, the personal panel they access, and our Privacy Policy at bandeira.app.br/privacy.
Bandeira informs users about the data usage enabled by this permission at five distinct touchpoints, designed to ensure informed consent at every stage.
First, in the invitation: when a Client invites a Supporter to participate in their network, the invitation message (sent via WhatsApp, email, or SMS) explicitly mentions that the Supporter will be asked to grant Bandeira access to their Instagram Business account through the official Meta authorization flow. The message includes a link to the consent screen and clarifies that the Supporter can decline or revoke at any time.
Second, on the consent screen at bandeira.app.br/aceite/[token]: before the OAuth flow begins, the Supporter sees a clear screen displaying which permissions will be requested, what each permission allows, what data will be accessed, what the Client will and will not be able to do, and the duration and conditions of the authorization. The screen requires the Supporter to mark four explicit checkboxes confirming understanding of each item.
Third, in the Authorization Term: the Supporter is presented with the full electronic Authorization Term (available in long form for legal review and short form for mobile-first acceptance), which explicitly references each Meta permission requested and explains in plain Portuguese what each permission allows. The Term must be electronically signed with hash, IP, timestamp, and SMS confirmation.
Fourth, in the welcome email: immediately after authorization, the Supporter receives a confirmation email with a summary of the permissions granted, a link to the personal panel where they can monitor activity, and a direct link to revoke authorization with one click.
Fifth, in the personal panel at bandeira.app.br/apoiador: the Supporter can at any time access their personal panel showing all activity on their account performed through Bandeira, the current status of authorization, and a self-service "Revoke authorization" button that is always visible.
Additionally, our Privacy Policy at bandeira.app.br/privacy contains a dedicated Section 11 titled "Specific section — Meta Platforms (Instagram) integration" that documents in detail the use of each requested permission, including this one.
Bandeira uses the instagram_business_content_publish permission to publish content that has been explicitly approved by both the Origin account owner (who created the original content) and the Destination account owner (the Supporter, who has signed an Authorization Term granting publication rights within strict limits). This is the core functionality of the platform.
The technical flow is the following: the Client reviews posts captured from authorized Origin accounts in the editorial queue panel, marks specific posts for republication across selected Destination accounts (the Supporter network), and the system schedules each republication respecting the operational rules. At the scheduled time, our backend uses this permission to call the Meta Graph API media publish endpoint, providing the media file (image or video), the caption text with mandatory attribution prepended (e.g., "via @original_account"), and any required metadata.
Critical operational constraints are enforced automatically and cannot be disabled or bypassed by Clients:
- Maximum 3 publications per Supporter account per 24-hour period
- Mandatory blackout window (default 10:00 PM to 7:00 AM Brasília time, configurable only within stricter parameters, never looser)
- Randomized timing within scheduled windows (jitter of 5-45 minutes) to avoid simultaneous publications across the network
- Mandatory visible attribution prepended to every caption — this string is enforced server-side and cannot be removed by the Client
- Human approval required for every individual publication — there is no "publish all" or "auto-publish" option
- AI content filter analyzes every post for defamation, hate speech, deepfake indicators, and electoral law violations before publication; any flagged content requires explicit secondary approval
- Detection system that monitors Origin posts every 15 minutes and automatically cancels pending republications if the original is deleted
Each publication is logged in our immutable audit trail with timestamp, source account, destination account, approver identity, content hash, and Meta API response. These logs are retained for 5 years and are exportable in formats compatible with Brazilian electoral law (TSE) audit requirements.
This permission is the core differentiator of Bandeira and not replaceable by any alternative method. Without it, the platform cannot deliver its primary value proposition.
The fundamental problem we solve is this: Brazilian political mandates and campaigns operate networks of consenting supporters who want to amplify the mandate's message on their own social media accounts. Today, this happens through manual coordination — campaign staff sends content via WhatsApp, supporters copy-paste it into their accounts, and everyone hopes the timing is reasonable. This produces three serious problems.
First, the manual approach scales poorly. A network of 100 supporters cannot be coordinated by a small campaign team without errors, delays, and inconsistencies. A network of 500 supporters cannot be managed at all without industrial-grade tooling.
Second, manual coordination produces patterns that look like coordinated inauthentic behavior to Meta's detection systems: simultaneous posts, identical captions, no visible attribution, suspicious timing. This actually puts both supporters and the campaign at risk of platform enforcement, even though the underlying intent is legitimate authorized amplification by consenting parties.
Third, manual coordination has no audit trail, no formal authorization documentation, and no compliance with Brazilian electoral law (TSE) requirements for content marking, financial attribution, and prohibited periods. This creates legal liability for everyone involved.
Bandeira solves all three problems by doing the publishing through this permission, with all the operational constraints listed in section 2.1 enforced automatically. Each publication is documented, attributed, rate-limited, and timed to avoid suspicious patterns. This is the inverse of coordinated inauthentic behavior — every aspect is authorized, transparent, and auditable.
We considered and rejected the alternative of "manual assisted mode" (where Bandeira would generate deep links and supporters would tap to publish manually). This alternative is technically feasible but practically unworkable for large networks because (a) it requires every supporter to actively engage with each piece of content, defeating the purpose of organized amplification, (b) it produces the same suspicious timing patterns as raw manual coordination, and (c) it has no audit trail that the publication actually occurred. Manual assisted mode could be a fallback for niche use cases but cannot serve the core market.
This permission produces concrete benefits for all participants and, importantly, for the broader Instagram platform integrity.
Supporters benefit by participating in political communication they care about with significantly less effort than manual coordination. Instead of monitoring WhatsApp groups and copy-pasting content, they grant authorization once and let the system handle the rest within the limits they consented to. They retain full control: they can revoke at any time, they can pause specific campaigns, they receive notifications about each pending publication, and they can switch to "active mode" where they review each publication before it goes live. The mandatory daily cap, blackout windows, and timing jitter ensure their account never appears artificially active or compromised.
Clients benefit by operating their authorized network with industrial-grade coordination instead of WhatsApp chaos. They get unified editorial workflow, real audit trails compliant with Brazilian electoral law, and the assurance that every publication carries visible attribution to the original author — protecting them from claims that their content distribution was deceptive. The R$899 to R$80,000 per month pricing is sustainable because they can replace the work of multiple full-time coordinators with the platform.
Original content authors benefit because every republication is properly attributed. Even when an Origin account is also the Client's account, the attribution requirement protects the broader principle that audiences understand whose content they are seeing. When the Origin account is a third party authorized by the Client, the attribution ensures their authorship is recognized.
The Instagram platform benefits because Bandeira represents a structured, transparent, compliant alternative to the gray-zone coordination that exists today. By providing tooling that enforces visible attribution, daily caps, blackouts, jitter, and human approval, Bandeira reduces the incentive for political networks to operate through opaque means that genuinely threaten platform integrity. Each Bandeira publication is documented in a way that, if requested, can be presented to Meta's integrity teams as evidence of legitimate operation.
The broader political-democratic ecosystem benefits because Bandeira raises the floor of acceptable political coordination. Networks that previously operated informally are now operating with formal authorization, audit trails, and contractual compliance with Brazilian electoral law. This is a net improvement for democratic transparency.
Bandeira ensures users are fully informed about how this permission will be used through a comprehensive, multi-touchpoint disclosure framework — the most rigorous of all three permissions because content publishing is the most consequential operation.
Before authorization, the consent screen at bandeira.app.br/aceite/[token] displays a dedicated section titled "What will Bandeira do on your account?" with explicit text in plain Portuguese: "The Bandeira platform will publish on your Instagram Business account selected content from authorized accounts of [Client name], with visible attribution to the original author, respecting limits of maximum 3 publications per day, blackout from 10 PM to 7 AM, and prior human approval. You will be notified of every publication and can revoke authorization at any time."
The Authorization Term — both long form (legal document) and short form (mobile-first 6-screen acceptance flow) — contains an entire section titled "What Bandeira will do" listing every operational behavior in detail. The Supporter must check four explicit consent checkboxes before being able to proceed: (1) "I authorize Bandeira to publish content on my account within the limits described", (2) "I understand that every publication will visibly attribute the original author", (3) "I confirm I am the legitimate owner of this Instagram account", and (4) "I confirm I am over 18 years of age and acting voluntarily".
After each publication, in optional "active mode," the Supporter receives a WhatsApp notification (if enabled) showing what was just published on their account, with a one-click link to view the post and a one-click "Cancel and pause future publications" button.
In the personal panel, the Supporter sees a complete history of every publication made through Bandeira on their account, with date, time, content preview, link to the published post, and the original Origin account that authored the content.
In the welcome email, sent immediately after authorization, the operational rules are summarized once more, with links to all relevant documentation including this Privacy Policy section.
Every publication carries the visible attribution string that appears as the first line of the caption — making it immediately clear to anyone viewing the post on Instagram that the content originated from another account. This serves not only as platform integrity protection but as continuous in-context disclosure.
Our Privacy Policy at bandeira.app.br/privacy in Section 11.4 ("Mandatory safeguards on every republication") documents every operational constraint that governs this permission's use.
Bandeira uses the instagram_business_manage_comments permission, when explicitly authorized by the Supporter as a separate optional consent, to perform two specific moderation tasks on publications made through the platform.
First, comment monitoring on platform-published posts: when content is published via Bandeira on a Supporter's account using the instagram_business_content_publish permission, comments may receive responses that include hate speech, defamation, threats, illegal content, or content prohibited by Brazilian electoral law. Without this permission, the Supporter would have to manually monitor every comment thread on every publication. With this permission, our system can read comments on publications it has made and flag problematic comments for the Supporter's review through their personal panel.
Second, moderation actions: based on rules configured by the Supporter (not the Client), our system can automatically hide comments that contain prohibited content, such as racial slurs, explicit threats, or content flagged by our AI filter. The Supporter chooses the moderation level — from "alert me only" (no automated action, just notifications) to "auto-hide flagged comments" (system hides comments matching configurable criteria). The Supporter can review and reverse any automated action through the panel.
Critical scoping constraints, enforced technically:
- This permission applies ONLY to publications made through Bandeira. Comments on the Supporter's organic posts (not made through Bandeira) are never read or moderated.
- Direct messages (DMs) are NEVER accessed, read, or modified — this permission does not include DM scope, and we do not request any related permission.
- The Client never has direct access to read or moderate comments. All actions go through the Supporter's explicit configuration.
- Hidden comments are recorded in the audit trail; the Supporter can always restore any hidden comment.
- This permission is opt-in and separate. A Supporter can authorize the platform with content_publish but decline manage_comments — the platform fully functions without this permission, just with manual comment moderation.
Technically, our backend reads comments via the Meta Graph API on a polling schedule (approximately every 30 minutes for active publications, slowing to every 6 hours after 48 hours), with on-demand fetching when the Supporter opens the panel. Hide actions occur immediately upon configured trigger or Supporter manual action. Rate limits are respected; we do not exceed Meta's published call limits per account.
This permission is optional but provides significant value to a subset of our users — specifically, Supporters whose accounts attract high comment volume on political content and who lack time or capacity to manually moderate every comment thread. Without this permission, those Supporters face three problems.
First, reputational risk. When the Supporter's account hosts publications via Bandeira (with their authorization), comment threads can attract trolling, hate speech, threats, or defamation against the Client or against other commenters. The Supporter is the legal owner of the account and is responsible (in some cases legally responsible under Brazilian law) for content that remains visible. Without moderation tooling, they bear the full burden of manual monitoring.
Second, legal compliance under Brazilian electoral law. TSE rulings have established that account owners can be liable for defamatory or election-violating content in their comment sections if they have means to moderate but fail to act. The Supporter authorizing political content publications has heightened exposure, and comment moderation tools reduce this exposure.
Third, mental health and time burden. Supporters are typically not professional social media managers. They are political volunteers, allies, family members, or sympathizers. Asking them to constantly check their phone for new comments on publications made by Bandeira on their behalf is unrealistic and causes burnout that leads to network attrition.
We considered alternative approaches and found them insufficient. Asking the Supporter to manually monitor comments is the current state and produces the problems above. Asking the Client to monitor would expose them to direct contact with the Supporter's audience, which is not the desired model. Using a third-party social media management tool is not technically feasible because such tools cannot read comments on accounts they did not publish to.
We made this permission OPTIONAL because not every Supporter wants this functionality. Some prefer manual moderation; some have low comment volume; some are comfortable with the visibility of all comments. The Supporter is given a clear separate consent flow specifically for this permission, distinct from the content_publish authorization, and can decline this permission while still receiving the benefits of the other permissions.
Supporters who opt in to this permission receive direct, measurable benefits to their Instagram experience and well-being.
First, automated protection from harmful comment content. When the Supporter configures their preferred moderation level, the system reduces exposure to harmful comments without requiring constant manual monitoring. This is particularly valuable for Supporters who experience targeted harassment due to their political positions, which is unfortunately common in Brazilian political discourse.
Second, time recovery. A typical Supporter with 30 publications per month via Bandeira may receive hundreds of comments. Manual review of each comment is unsustainable. Automated flagging and hiding (with override capability) allows the Supporter to spend minutes per week on moderation instead of hours.
Third, legal risk reduction. As noted in section 3.2, Brazilian electoral law and TSE jurisprudence place increasing responsibility on account owners to moderate comments on political content. The moderation tooling reduces the Supporter's legal exposure by providing documented, auditable moderation actions.
Fourth, account health. Maintaining a comment section that is dominated by hate speech or trolling damages the Supporter's account in multiple ways: it reduces engagement quality, signals problems to the Instagram algorithm, and degrades the Supporter's personal brand. Active moderation maintains account health.
The broader Instagram ecosystem benefits because Bandeira-published posts have actively moderated comment sections, reducing the prevalence of policy-violating comments on political content. This is consistent with Meta's own community standards goals.
Importantly, no Client receives any data or capability through this permission. The Client cannot read comments, cannot moderate comments, and is not informed about comment moderation actions. This permission exclusively serves the Supporter, the legitimate owner of the account, in managing their own account.
Because this permission is optional and separate from the others, our disclosure framework is specifically designed to ensure the Supporter understands they are making an additional, distinct choice.
On the consent screen, this permission is presented in a separate visual section with its own heading "Optional: Comment moderation". The text explicitly states: "You can authorize Bandeira to help you manage comments on publications made through the platform. With this authorization, the system can identify potentially harmful comments and apply moderation rules you configure. You can decline this without affecting other authorizations." A separate checkbox allows opt-in or skip.
In the Authorization Term, this permission has a dedicated subsection separate from the content_publish authorization. The text describes exactly what the permission allows (read and hide comments on Bandeira-published posts), what it does NOT allow (read DMs, moderate comments on non-Bandeira posts, give Client access to comments), and the Supporter's ongoing control (can change moderation level, can review hidden comments, can revoke this specific permission while keeping others).
In the personal panel, after authorization, the Supporter sees a "Comment moderation" section showing current settings, a log of moderation actions taken, and a button to adjust rules or disable the permission entirely. Every automated moderation action sends a notification (configurable: in-app, email, or WhatsApp).
On the moderation activity page, the Supporter can see every comment that was hidden, by which rule, on which publication, with one-click restoration available. The audit trail demonstrates that moderation is transparent and reversible.
In the welcome email after authorizing this specific permission, the Supporter receives a dedicated message titled "About comment moderation" with a clear explanation of how the feature works and a link to adjust settings or disable.
In our Privacy Policy at bandeira.app.br/privacy, Section 11.1 lists all three permissions and explicitly notes that instagram_business_manage_comments is optional and requires separate Supporter consent.
Finally, every Supporter retains the absolute right to revoke this specific permission through the personal panel (without revoking other authorizations) or directly through Instagram's "Apps and Websites" settings, with effect within 24 hours.
Supporting Documentation
Additional materials prepared for the Meta App Review submission, including demo videos, screencasts, public URLs and test credentials.
Demo video
A demonstration video showing the complete user journey will be uploaded to YouTube as "unlisted" before submission. URL to be added to the App Review submission form.
The video covers, in approximately 6 minutes:
- → Supporter consent flow including OAuth authorization and SMS confirmation
- → Client editorial workflow with content approval
- → Publication on Destination accounts with visible attribution
- → Operational controls: rate limits, blackout, jitter, human approval
- → Self-service revocation by Supporter
- → Audit trail and compliance documentation
Permission-specific screencasts
Screencast 1 (60s)
instagram_business_basic — shows OAuth flow, account verification, and post capture from authorized Origin account.
Screencast 2 (90s)
instagram_business_content_publish — shows editorial approval and publication with visible attribution.
Screencast 3 (60s)
instagram_business_manage_comments — shows optional opt-in flow and moderation panel.
Public URLs for review
Privacy Policy (English)
bandeira.app.br/privacyPrivacy Policy (Portuguese)
bandeira.app.br/privacidadeTerms of Use
bandeira.app.br/termsData Deletion Request
bandeira.app.br/data-deletionSupporter Authorization Term
bandeira.app.br/supporter-termPublic site
bandeira.app.brTest accounts
For Meta App Review testers, the following test accounts will be available with credentials provided through the Meta Developer Dashboard secure submission:
Test Client account
Full panel access. Demonstrates editorial workflow, network management, content approval, and audit trail.
3 test Supporter accounts
Pre-authorized for full flow testing. Can be used to verify consent flow, OAuth, revocation, and panel access.
1 test Origin account
Instagram Business account with 20+ public posts ready for capture and republication testing.
Contact for App Review questions
Email: developer@bandeira.app.br
Response time: within 24 hours during business days (Brasília timezone, GMT-3)
Backup contact: [Founder name] at [direct email] — to be added before submission
Closing statement
Bandeira represents a deliberate effort to provide structured, transparent, compliant tooling for political content amplification — replacing informal coordination methods that create risk for users, account owners, and platform integrity.
The three permissions requested are essential to this mission, used within strict operational constraints, and supported by comprehensive consent and audit frameworks. Every safeguard described in this document is enforced technically in our platform, not merely promised in policy.
We thank the Meta App Review team for their attention and look forward to questions or requests for clarification through the standard review process.