CloudAIAgents

For Meta App Reviewers

Step-by-step review guide

This page walks through every permission we request, exactly how it’s used in CloudAIAgents, and how you can reproduce each user flow by signing in with a Facebook account that manages a Page (and, for the Instagram and Threads flows, a linked IG Business account or Threads profile). If anything is unclear, please email platform@cloudaiagents.net — we monitor this address during business hours UTC+7 with a target response of 4 hours.

Endpoints you may want to verify

  • OAuth start: https://cloudaiagents.net/api/auth/facebook
  • OAuth callback: https://cloudaiagents.net/api/auth/facebook/callback
  • Deauthorize callback: https://cloudaiagents.net/api/auth/facebook/deauthorize
  • Data deletion callback: https://cloudaiagents.net/api/data-deletion-callback
  • Webhooks (Page / IG / Threads): https://cloudaiagents.net/api/webhooks/facebook, /api/webhooks/instagram, /api/webhooks/threads
  • Privacy policy: /privacy-policy
  • Terms of service: /terms
  • Data deletion instructions: /data-deletion

Screen-recording script (for the demo video)

The following flow exercises Instagram Public Content Access and Business Asset User Profile Access end-to-end in one continuous take. Each step maps to an observable change on screen.

  1. Sign in. Open cloudaiagents.net, click “Continue with Facebook”, sign in with a Facebook account that manages a Page, and grant every requested scope on the consent dialog (highlight instagram_basic and pages_read_engagement in the dialog).
  2. Pick a Page. The picker lists the Pages you manage — choose one that shows an IG badge.
  3. Business Asset User Profile Access. On the Workspace tab, point at the “Recent audience” card on the right: each row is a real commenter whose name and avatar were resolved through Business Asset User Profile Access. Open one of the recent posts and switch to the Comments tab — the same name/avatar appears on every comment row.
  4. Instagram Public Content Access — hashtag search. Click the Discover tab. On “Hashtag search”, type a public hashtag and click Search; up to 12 top-performing public posts appear with like / comment counts. Click one tile — it opens the post on Instagram.com.
  5. Instagram Public Content Access — profile lookup. Switch to “Public profile lookup”, type a public Business handle and click Look up profile; the bio, follower count and recent public posts render in a grid.
  6. Wrap. Show the URL bar so reviewers can confirm the domain, then end the recording.

The recording should run roughly 60–90 seconds and stay in one browser tab. Keep audio narration in either English or Vietnamese.

Every Meta permission, mapped to a feature

We only ever request scopes that map to a user-visible feature, and we explain each one in plain language during the OAuth consent flow.

Meta permissionHow CloudAIAgents uses it
pages_show_listRender the page picker after login so the user can choose which Page to connect.
pages_manage_metadataSubscribe the chosen Page to webhooks so the Reply Agent receives inbox and comment events.
pages_read_engagement & pages_manage_engagementReply Agent reads comments to triage them and optionally posts a reply or hides spam.
pages_manage_postsContent Agent publishes drafts that the user has approved.
read_insightsInsight Agent compiles the weekly performance digest.
instagram_basic, instagram_manage_comments, instagram_manage_contents, instagram_manage_engagement, instagram_manage_insightsSame Reply / Content / Insight workflows applied to a connected Instagram Business account.
instagram_content_publishContent Agent publishes approved media to IG Feed or Reels.
threads_*Publish to Threads and let Reply Agent answer replies.
Instagram Public Content AccessLets a Page owner research public Instagram content without leaving CloudAIAgents — discover trending hashtags and benchmark public Business / Creator profiles for content planning.
Business Asset User Profile AccessResolves the {id, name, profile_picture} of people who comment on the connected Page so the Inbox / Audience UI can show real display names and avatars instead of opaque IDs, exactly the data the permission unlocks.

Permission-by-permission walkthrough

pages_show_list

Render the page picker after login so the user can choose which Page to connect.

Steps to reproduce

  1. Click "Continue with Facebook" on the home page.
  2. Sign in with a Facebook account that manages a Page.
  3. Grant the requested scopes on the consent dialog.
  4. You are redirected to /dashboard; the page picker lists every Page you manage.

Expected behaviour

A list of Pages with name, category and connect button appears. No data is written until the user explicitly connects a Page.

pages_manage_metadata

Subscribe the chosen Page to webhooks so the Reply Agent receives inbox and comment events.

Steps to reproduce

  1. After picking a Page on the Workspace tab, open Settings → "Page webhook subscriptions".
  2. Click the green "Subscribe" button — the indicator dot turns emerald within a second.
  3. The status line now reads "Subscribed · fields: feed, messages, messaging_postbacks", confirming the POST to /{page-id}/subscribed_apps succeeded.
  4. Clicking "Unsubscribe" reverses the call cleanly.

Expected behaviour

CloudAIAgents calls POST /{page-id}/subscribed_apps with subscribed_fields=feed,messages,messaging_postbacks. DELETE on the same edge undoes it. No other page metadata is read or written.

pages_read_engagement & pages_manage_engagement

Reply Agent reads comments to triage them and optionally posts a reply or hides spam.

Steps to reproduce

  1. On the connected Page, post a public comment under any post.
  2. Within ~30 seconds, the comment appears in CloudAIAgents Dashboard → Inbox.
  3. Click the AI-suggested reply, edit if needed, click “Send”.
  4. The reply appears under the same comment on Facebook.

Expected behaviour

No actions are taken without an explicit human click in this default mode. The Compliance Agent screens the draft first.

pages_manage_posts

Content Agent publishes drafts that the user has approved.

Steps to reproduce

  1. In the Dashboard, open Content → New Post.
  2. Type a prompt (e.g. "Announce a 20% summer sale").
  3. Click Generate; review the AI-suggested caption.
  4. Click "Schedule" → choose a time → "Approve & Publish".
  5. Within a minute, the post appears on the connected Page.

Expected behaviour

POST /{page-id}/feed is called with the approved message. We log the request and the resulting post id for audit.

read_insights

Insight Agent compiles the weekly performance digest.

Steps to reproduce

  1. Open Dashboard → Insights → Generate weekly report.
  2. A 1-page summary appears with reach, engagement and recommendations.

Expected behaviour

Only aggregated metrics from /{page-id}/insights are read. No personally identifying audience data is requested.

instagram_basic, instagram_manage_comments, instagram_manage_contents, instagram_manage_engagement, instagram_manage_insights

Same Reply / Content / Insight workflows applied to a connected Instagram Business account.

Steps to reproduce

  1. After connecting a Page that is linked to an IG Business account, the IG account appears under Settings → Accounts.
  2. Repeat the comment, inbox and publish flows from the Page section above on the IG account.

Expected behaviour

Identical UX, distinct icons identify IG-origin events.

instagram_content_publish

Content Agent publishes approved media to IG Feed or Reels.

Steps to reproduce

  1. Open Dashboard → Content → New IG post.
  2. Upload an image.
  3. Type a caption, approve, choose Feed or Reels.
  4. Click Publish; the post appears on the IG account.

Expected behaviour

CloudAIAgents uses the two-step container + publish flow defined in the IG Graph API docs.

threads_*

Publish to Threads and let Reply Agent answer replies.

Steps to reproduce

  1. In Dashboard → Threads, click New Thread.
  2. Use the AI-suggested caption or write your own.
  3. Click Publish. The post appears on your connected Threads profile.
  4. Reply to the thread from another account; the reply surfaces in CloudAIAgents with a suggested AI response.

Expected behaviour

CloudAIAgents uses the official Threads API container + publish flow. Replies are sent only after the user clicks Send (or auto-reply is explicitly enabled).

Instagram Public Content Access

Lets a Page owner research public Instagram content without leaving CloudAIAgents — discover trending hashtags and benchmark public Business / Creator profiles for content planning.

Steps to reproduce

  1. Sign in with Facebook (the Page must be linked to an Instagram Business / Creator account).
  2. Open Dashboard → Discover.
  3. On the “Hashtag search” tab, type a hashtag (e.g. travelvietnam) and click Search; up to 12 top-performing public posts appear with engagement counts.
  4. Switch to “Public profile lookup”, enter a public Business handle (e.g. @natgeo) and click Look up profile; the bio, follower count and recent public posts are displayed.

Expected behaviour

Only public fields exposed by ig_hashtag_search / business_discovery are read. We never request private content. Results are rendered in-memory and discarded when the tab closes. This submission also includes the required instagram_basic and pages_read_engagement scopes.

Business Asset User Profile Access

Resolves the {id, name, profile_picture} of people who comment on the connected Page so the Inbox / Audience UI can show real display names and avatars instead of opaque IDs, exactly the data the permission unlocks.

Steps to reproduce

  1. Sign in and connect a Page.
  2. On the Workspace tab, the right-hand “Recent audience” card lists the last commenters with their resolved name + avatar (this is the exact data exposed by Business Asset User Profile Access).
  3. Click any post in the feed → Comments tab; every comment row also shows the commenter’s display name and avatar pulled from from{id,name,picture}.

Expected behaviour

We only read public profile fields (name, profile_pic) for users who have themselves interacted with assets the Page owner manages. No additional fields are requested; no profile is stored beyond the current session view.

Operational contacts

We respond to reviewer emails within 4 business hours during 09:00–18:00 ICT (Mon–Fri).