[[updated December 10, 2018]]
At the time of publishing this article, no third-party tools could automatically post scheduled content to your Instagram profile. In 2018, that changed.
Now, Instagram has updated its API to allow specially authorized apps like Agorapulse to publish directly on your behalf to business profiles. YES!
What is an API?
Social media tools like Agorapulse work because social media platforms (like Instagram) have APIs (application programming interfaces).
An app like Instagram doesn’t want to show you everything that’s going on under its hood — so it provides an API that responds only to the requests it allows. As of December 11, 2018, authorized third party tools no longer use the Instagram API. Instead, they use the Instagram Graph API.
A tool like Agorapulse can send a request to Instagram: for example, it can request that Instagram provide the number of likes you received on your most recent Instagram post. The Instagram Graph API receives that request, and delivers to Agorapulse the number of likes you received. Agorapulse’s Reports feature then sorts the answer for you.
The risk of using third-party apps that claim to post directly to Instagram … but aren’t Instagram Partners
There are some apps that have reverse-engineered the Instagram API so that they can automatically post directly to Instagram for users. This is different than the official way Agorapulse does it for business accounts. You might think this is a clever way to get around the posting issue, but it is in direct violation of Instagram’s Platform Policy, which states, “Don’t reverse engineer the Instagram APIs or any of Instagram’s apps.”
You’re taking a huge risk by using a third-party software that reverse engineers the Instagram API so that you can schedule content that automatically posts. Especially now that you can do it legitimately with a few extra steps. When you use an app that attempts to post to Instagram in ways that are not authorized, you may experience one or more of the following consequences:
1. Deleted content
Your published media could be deleted from Instagram. This has happened to many users.
2. Banned account
Instagram can ban or delete your account for violating Instagram’s terms and policies.
3. Security breach
You may lose access to your account or it may be hacked. Keep security in mind when you use an app by a developer you don’t know and who is not an official Instagram partner.
No matter how reliable the platform or how fine-tuned your security practices are, there is still a risk. For example, even the social scheduling tool Buffer experienced a security breach. If established companies with security teams can still experience security issues, then a third-party tool that uses APIs inappropriately and doesn’t use best security practices is even more vulnerable.
Would you post your Instagram login and password to a public webpage or a forum? Of course not! By providing them to a company you don’t know and is probably headquartered in a country you’ve never been to, you’re potentially doing that.
Why increase that risk?
These apps require you to give them your login credentials, like your password. No third-party app should ask you for your password directly. It should redirect to Instagram. For example, when you try to add an Instagram profile to your Agorapulse account, Agorapulse redirects you to Instagram.com, where you login directly to Instagram and allow Agorapulse access as a third-party app. Agorapulse is not provided with your password.
This means no one has your login info but you.
If you’re taking risks with your personal Instagram account, then the risk is yours (and your family’s if family photos are involved). However, if you’re managing social media for a business, you have responsibility for a company’s assets.
For you agencies and social media managers, the risks are even higher. A choice that goes against security and ethical best practices could result in a bad performance review at best and getting fired at worst.
It’s not worth risking your job just to post directly to Instagram.
Great social media managers are as mindful of security as they are of content. If you are hiring a community manager or social media manager, consider asking candidates such security-minded questions as:
- Where do you plan to share your company logins?
- How often do you do a check up on connected apps?
For the latter question, a social media manager should regularly review what apps have access to the Instagram account’s information. To see what apps are connected and revoke access to apps you no longer use, login to your Instagram account on the web and select “Edit Profile,” then select “Authorized Applications.” Review the list of apps and what permissions they have.
Choose “Revoke Access” if you no longer use the app. If you use a third-party app that requests your login information directly, you will not see it in this list. You run the risk of forgetting what apps have access or losing your account altogether. If you change your password, apps that are appropriately connected will still be able to function, while those that use Instagram in unauthorized ways, such as to post directly to Instagram, will stop working.