Social media tools like Agorapulse work because social media platforms (like Instagram) have APIs (application programming interfaces).
An app like Instagram doesn’t want to show you everything that’s going on under its hood — so it provides an API that responds only to the requests it allows. A tool like Agorapulse can send a request to Instagram: for example, it can request that Instagram provide the number of likes you received on your most recent Instagram post. Instagram’s API receives that request, and delivers to Agorapulse the number of likes you received. Agorapulse’s Reports feature visualizes the answer for you.
Each social media network controls what their API can do. For example, you can schedule posts for Twitter not just because Agorapulse provides that service, but because Twitter allows Agorapulse to take that action. It’s up to Twitter to allow a third-party software tool to provide users with that functionality.
Instagram does not allow apps to post directly to users’ profiles through a third-party software tool. Currently, the company wants only the human touch. That means you can schedule your Instagram post within a social media management tool like Agorapulse, but then that tool can only copy the content so you can send (the image) and paste (the text) into the Instagram app yourself.
There are some apps that have reverse-engineered the Instagram API so that they can automatically post directly to Instagram for users. You might think this is a clever way to get around the posting issue, but it is in direct violation of Instagram’s Platform Policy, which states, “Don’t reverse engineer the Instagram APIs or any of Instagram’s apps.”
You’re taking a huge risk by using a third-party software that reverse engineers the Instagram API so that you can schedule content that automatically posts. When you use an app that attempts to post to Instagram in ways that are not authorized, you may experience one or more of the following consequences:
Your published media could be deleted from Instagram. This has happened to many users.
Instagram can ban or delete your account for violating Instagram’s terms and policies.
You may lose access to your account or it may be hacked. Keep security in mind when you use an app by a developer you don’t know and who is not an official Instagram partner.
No matter how reliable the platform or how fine-tuned your security practices are, there is still a risk. For example, even the social scheduling tool Buffer experienced a security breach. If established companies with security teams can still experience security issues, then a third-party tool that uses APIs inappropriately and doesn’t use best security practices is even more vulnerable.
Would you post your Instagram login and password to a public webpage or a forum? Of course not! By providing them to a company you don’t know and is probably headquartered in a country you’ve never been to, you’re potentially doing that.
Why increase that risk?
These apps require you to give them your login credentials, like your password. No third-party app should ask you for your password directly. It should redirect to Instagram. For example, when you try to add an Instagram profile to your Agorapulse account, Agorapulse redirects you to Instagram.com, where you login directly to Instagram and allow Agorapulse access as a third-party app. Agorapulse is not provided with your password.
This means no one has your login info but you.
For some social media managers, this is also an ethical choice. A social media platform is offering an API with limited functionality because the company’s values are focused on “keeping it real” on Instagram and avoiding mass automation. Do you really want to use shady apps to go against the values of the social network you rely on to promote your business?
If you’re taking risks with your personal Instagram account, then the risk is yours (and your family’s if family photos are involved). However, if you’re managing social media for a business, you have responsibility for a company’s assets.
For you agencies and social media managers, the risks are even higher. A choice that goes against security and ethical best practices could result in a bad performance review at best and getting fired at worst.
It’s not worth risking your job just to post directly to Instagram.
Great social media managers are as mindful of security as they are of content. If you are hiring a community manager or social media manager, consider asking candidates such security-minded questions as:
For the latter question, a social media manager should regularly review what apps have access to the Instagram account’s information. To see what apps are connected and revoke access to apps you no longer use, login to your Instagram account on the web and select “Edit Profile,” then select “Authorized Applications.” Review the list of apps and what permissions they have.
Choose “Revoke Access” if you no longer use the app. If you use a third-party app that requests your login information directly, you will not see it in this list. You run the risk of forgetting what apps have access or losing your account altogether. If you change your password, apps that are appropriately connected will still be able to function, while those that use Instagram in unauthorized ways, such as to post directly to Instagram, will stop working.
Do you still feel that the benefits outweigh the risks of using a third party scheduled post tool for Instagram? Let us know in the comments!