Meta OAuth — required permissions explained

When you connect Meta, Wevion requests 3 scopes from Facebook: ads_management, pages_read_engagement, business_management. This article explains exactly what each grants and why Wevion needs it. No personal data, no friend list, no posts. Wevion never posts on your behalf.

Who is this for

Mediabuyers reviewing the OAuth consent screen, security-minded admins approving Wevion before connecting, anyone audit-reviewing data access.

The 3 scopes Wevion requests

The authoritative list comes from apps/backend/src/providers/meta/core/constants.ts (META_SCOPES):

const META_SCOPES = [
  'ads_management',
  'pages_read_engagement',
  'business_management',
]

That's it. Three scopes. The OAuth dialog you see at Facebook will list these and only these.

What each scope does

1. ads_management

Grants: read and write access to ad accounts the user can access in Business Manager:

• View campaigns, ad sets, ads, creatives, audiences, custom audiences

• Create new campaigns, ad sets, ads

• Pause / resume / archive campaigns

• Edit budgets, audiences, schedules

• View ad insights (impressions, clicks, conversions, spend)

• Manage custom audiences and lookalike audiences

Why Wevion needs it: this is the core. Without ads_management, Wevion cannot do anything useful — no analytics, no launches, no rules, no automation. Every campaign-related action in Wevion is backed by this scope.

2. pages_read_engagement

Grants: read-only access to Facebook Pages you manage:

• List of Pages the user has roles on

• Page insights and engagement metrics (likes, comments, post performance)

• Page metadata (name, category, profile image)

• Linked Instagram accounts (via Page)

Does NOT grant: ability to post on the Page, edit Page settings, message users, read private messages.

Why Wevion needs it: to enable Page-as-source ads — ads that use your Page's voice/branding instead of an unbranded creative. Also required to surface Instagram placements (since Instagram accounts are linked through Facebook Pages).

3. business_management

Grants: access to Business Manager objects:

• List of Business Managers the user has roles on

• Ad accounts owned by each BM

• Pages owned by each BM

• Catalogs and Pixels associated with each BM

• BM-level users and their roles

Why Wevion needs it: lets you authorize once and import all your BM-managed ad accounts + Pages in a single flow. Without business_management, you'd have to OAuth each BM separately.

What Wevion does NOT request

Wevion deliberately does not request:

• public_profile — no name/photo/profile data

• email — no email address

• user_friends — no friend list

• publish_to_groups / publish_pages — no posting on your behalf

• read_insights — Page-level insights covered by pages_read_engagement (we use the narrower scope)

• instagram_basic / instagram_content_publish — Instagram surfaced via Page link, not direct IG OAuth

• whatsapp_business_management — no WhatsApp integration

• Any user-level data beyond the OAuth identifier

If Facebook's consent screen ever shows a scope NOT in this list, stop and report — it's a bug or a phishing attempt mimicking Wevion.

The OAuth dialog walkthrough

When you click Connect in meta-101, the popup shows:

1. Login: enter your Facebook credentials

2. Welcome / continue as [your name]: confirms your Facebook identity

3. App permissions screen: lists each scope Wevion requests with a Facebook-friendly description and an Allow/Skip toggle per scope

   • You can deny pages_read_engagement or business_management — but then Wevion will be missing functionality. Best to allow all.

   • You cannot deny ads_management — Wevion won't be functional without it

4. Business selection: if you have multiple BMs, pick which to share with Wevion

5. Continue: returns to Wevion

Permissions per role

Some scopes implicitly require Facebook-level permissions:

If your Facebook user has only Analyst role on an ad account, Wevion can READ that account but NOT launch campaigns. UI shows "read-only" badge in such cases.

Token expiry and refresh

Tokens granted have ~60-day validity (Meta policy). Auto-refreshed when possible. See meta-107 token health.

How to audit what Wevion accesses

You can review and revoke at any time:

• Facebook: Settings & Privacy → Settings → Apps and Websites → Active → look for "Wevion" → Remove

• Business Manager: BM Settings → Apps → look for Wevion → Remove or restrict

Revoking from Facebook side immediately invalidates Wevion's token; your Wevion workspace shows the Meta connector as Disconnected (yellow card → Reconnect button).

Privacy and compliance

• Wevion processes Meta data as a processor under GDPR (you = controller)

• Standard DPA covers transfer to processors (Stripe, AWS, etc.)

• See wevion.ai/legal/dpa for full Data Processing Agreement (Enterprise customers can negotiate amendments)

• Meta-side privacy: Facebook's standard data sharing terms apply at consent time

Common questions

• Why can't I deny ads_management? Wevion is an ad management tool; without ad write access there's nothing it can do for you. Choose a different tool if you don't want to grant this scope.

• Can I scope to specific BMs? Yes, in the Facebook OAuth dialog. Wevion only sees BMs you share.

• What if I change my Facebook password? Token may auto-refresh OK or may force reconnect. See meta-107.

• Does Wevion store my Facebook password? No — never. Only the OAuth access + refresh tokens, encrypted at rest.

• Can other Wevion teammates see my Meta token? No. The token is workspace-scoped, encrypted, and only accessible to backend services for API calls on the workspace's behalf.

Related

• Connect your Meta account — the connect flow that uses these scopes

• Token health and reconnection — token lifecycle

• Security best practices — the broader security context