Meta OAuth — required permissions explained

The Meta permissions Wevion requests, grouped by purpose: managing campaigns, reading performance/insights, and handling account/asset (Pages, Instagram, catalogs, Business Manager). Each scope is documented with what it grants and why.

Written By Salvatore Sinigaglia

Last updated About 5 hours ago

The Meta permissions Wevion requests, grouped by purpose: managing campaigns, reading performance/insights, and handling account/asset (Pages, Instagram, catalogs, Business Manager). Each scope is documented with what it grants and why.

Meta OAuth — required permissions explained

When you connect Meta, Wevion requests a set of scopes from Facebook so it can read and manage your ads, Pages, Instagram placements, catalogs, and Business Manager assets. This article lists exactly which scopes Wevion requests and why. No friend list, no posting on your behalf.

Who is this for

Mediabuyers reviewing the OAuth consent screen, security-minded admins approving Wevion before connecting, anyone audit-reviewing data access.

The scopes Wevion requests

The authoritative list comes from apps/backend/src/providers/meta/core/constants.ts (META_SCOPES):

const META_SCOPES = [  'email',  'ads_management',  'ads_read',  'instagram_basic',  'pages_manage_ads',  'pages_read_engagement',  'pages_show_list',  'catalog_management',  'read_insights',  'business_management',]

The OAuth dialog you see at Facebook lists these scopes. If the consent screen shows a scope that is not in this list, stop — it's a bug or a phishing attempt mimicking Wevion.

To make the list easy to reason about, the scopes fall into three functional groups — this is the minimum Wevion needs to do its job, nothing more:

  • Manage campaigns (ads_management, pages_manage_ads) — create, edit, pause, and launch campaigns and Page-linked ads on the ad accounts you can access.
  • Read performance / insights (ads_read, read_insights) — pull impressions, clicks, conversions, spend, and Page/ads metrics for analytics and reporting.
  • Manage accounts & assets (business_management, pages_read_engagement, pages_show_list, instagram_basic, catalog_management, email) — discover and import your Business Manager ad accounts, Pages, linked Instagram accounts, and product catalogs in a single flow, and identify the connecting account.

Wevion asks only for what an ad-management tool needs to run your campaigns and report on them — no friend list, no posting on your behalf, no private messages. The per-scope detail below explains exactly what each grants.

What each scope does

1. ads_management

Grants: read and write access to ad accounts the user can access in Business Manager:

  • View campaigns, ad sets, ads, creatives, audiences, custom audiences
  • Create new campaigns, ad sets, ads
  • Pause / resume / archive campaigns
  • Edit budgets, audiences, schedules
  • View ad insights (impressions, clicks, conversions, spend)
  • Manage custom audiences and lookalike audiences

Why Wevion needs it: this is the core. Without ads_management, Wevion cannot do anything useful — no analytics, no launches, no rules, no automation. Every campaign-related action in Wevion is backed by this scope.

2. pages_read_engagement

Grants: read-only access to Facebook Pages you manage:

  • List of Pages the user has roles on
  • Page insights and engagement metrics (likes, comments, post performance)
  • Page metadata (name, category, profile image)
  • Linked Instagram accounts (via Page)

Does NOT grant: ability to post on the Page, edit Page settings, message users, read private messages.

Why Wevion needs it: to enable Page-as-source ads — ads that use your Page's voice/branding instead of an unbranded creative. Also required to surface Instagram placements (since Instagram accounts are linked through Facebook Pages).

3. business_management

Grants: access to Business Manager objects:

  • List of Business Managers the user has roles on
  • Ad accounts owned by each BM
  • Pages owned by each BM
  • Catalogs and Pixels associated with each BM
  • BM-level users and their roles

Why Wevion needs it: lets you authorize once and import all your BM-managed ad accounts + Pages in a single flow. Without business_management, you'd have to OAuth each BM separately.

4. ads_read

Grants: read-only access to ad account performance and insights.

Why Wevion needs it: powers analytics and reporting even where write access isn't used; complements ads_management for read-heavy surfaces.

5. instagram_basic

Grants: read basic profile data for the Instagram accounts linked to your Pages (username, id, media metadata).

Why Wevion needs it: to surface Instagram placements and the linked IG account when you build ads from a Page.

6. pages_manage_ads

Grants: create and manage ads associated with the Pages you manage.

Why Wevion needs it: to launch Page-as-source ads and Page-linked Instagram ads on your behalf.

7. pages_show_list

Grants: list of Facebook Pages the user has a role on.

Why Wevion needs it: to populate the Pages picker at /connect/meta so you can choose which Pages to import.

8. catalog_management

Grants: read and manage the product catalogs associated with your Business Managers.

Why Wevion needs it: to support catalog-based (dynamic/collection) ads that pull products from a Meta catalog.

9. read_insights

Grants: read Page-level and ads insights metrics.

Why Wevion needs it: additional reporting depth on top of the ads-level insights.

What Wevion does NOT request

Wevion does not request:

  • public_profile beyond the OAuth identifier — no photo/friend-facing profile data
  • user_friends — no friend list
  • publish_to_groups / publish_pages — no posting on your behalf
  • instagram_content_publish — Wevion reads Instagram via Page link and manages IG ads, but does not publish organic IG content
  • whatsapp_business_management — no WhatsApp scope is requested; Wevion does not manage WhatsApp Business messaging or WhatsApp-specific ad flows

If Facebook's consent screen ever shows a scope NOT in the requested list above, stop and report — it's a bug or a phishing attempt mimicking Wevion.

The OAuth dialog walkthrough

When you click Connect in meta-101, the popup shows:

  1. Login: enter your Facebook credentials
  2. Welcome / continue as [your name]: confirms your Facebook identity
  3. App permissions screen: lists each scope Wevion requests with a Facebook-friendly description and an Allow/Skip toggle per scope
    • You can deny pages_read_engagement or business_management — but then Wevion will be missing functionality. Best to allow all.
    • You cannot deny ads_management — Wevion won't be functional without it
  4. Business selection: if you have multiple BMs, pick which to share with Wevion
  5. Continue: returns to Wevion

Permissions per role

Some scopes implicitly require Facebook-level permissions:

Wevion scopeRequires user to be
ads_managementAdvertiser or Admin on the ad account in BM
pages_read_engagementAdmin, Editor, Analyst, or Advertiser on the Page
business_managementAny role in the BM (Admin to see all assets)

If your Facebook user has only Analyst role on an ad account, Wevion can READ that account but NOT launch campaigns. UI shows "read-only" badge in such cases.

Token expiry and refresh

Long-lived user tokens expire per Meta policy. A background job refreshes tokens due to expire within 7 days. See meta-107 token health.

How to audit what Wevion accesses

You can review and revoke at any time:

  • Facebook: Settings & Privacy → Settings → Apps and Websites → Active → look for "Wevion" → Remove
  • Business Manager: BM Settings → Apps → look for Wevion → Remove or restrict

Revoking from Facebook side immediately invalidates Wevion's token; your Wevion workspace shows the Meta connector as Disconnected (yellow card → Reconnect button).

Privacy and compliance

  • Wevion processes Meta data as a processor under GDPR (you = controller)
  • Standard DPA covers transfer to processors (Stripe, AWS, etc.)
  • See wevion.ai/legal/dpa for full Data Processing Agreement (Enterprise customers can negotiate amendments)
  • Meta-side privacy: Facebook's standard data sharing terms apply at consent time

Common questions

  • Why can't I deny ads_management? Wevion is an ad management tool; without ad write access there's nothing it can do for you. Choose a different tool if you don't want to grant this scope.
  • Can I scope to specific BMs? Yes, in the Facebook OAuth dialog. Wevion only sees BMs you share.
  • What if I change my Facebook password? Token may auto-refresh OK or may force reconnect. See meta-107.
  • Does Wevion store my Facebook password? No — never. Only the OAuth access token.
  • Can other Wevion teammates see my Meta token? No. The token is workspace-scoped and only accessible to backend services for API calls on the workspace's behalf.

FAQ

What Meta permissions does Wevion request?

Wevion requests the META_SCOPES set from the backend code: email, ads_management, ads_read, instagram_basic, pages_manage_ads, pages_read_engagement, pages_show_list, catalog_management, read_insights, and business_management. These cover reading and managing ads, Pages, linked Instagram, catalogs, and Business Manager assets. The OAuth dialog at Facebook lists these scopes; if the consent screen shows any scope outside this list, stop — it's a bug or a phishing attempt mimicking Wevion.

Can I deny some of the Meta permissions Wevion asks for?

You can deny page- or business-related scopes in the Facebook OAuth dialog, but Wevion will then be missing functionality like Page-as-source ads or single-flow Business Manager import. You cannot deny ads_management — Wevion is an ad-management tool and cannot do anything useful without ad write access. Best practice is to allow the full requested set.

Does Wevion store my Facebook password?

No, never. Wevion stores only the OAuth access token in the meta_token table. It never sees or keeps your Facebook password. Long-lived user tokens expire per Meta policy and a background job refreshes them before expiry, so you rarely need to reconnect manually.

How do I revoke Wevion's access to my Meta account?

You can revoke at any time from Facebook (Settings & Privacy → Settings → Apps and Websites → Active → Wevion → Remove) or from Business Manager (BM Settings → Apps → Wevion → Remove). Revoking from the Facebook side immediately invalidates Wevion's token, and your Wevion workspace shows the Meta connector as Disconnected.

Can other Wevion teammates see my Meta token?

No. Your Meta token is workspace-scoped and only accessible to backend services making API calls on the workspace's behalf. It is never exposed to other teammates, and Wevion processes Meta data as a processor under GDPR while you remain the controller.

Steps

  1. Login: enter your Facebook credentials
  2. Welcome / continue as [your name]: confirms your Facebook identity
  3. App permissions screen: lists each scope Wevion requests with a Facebook-friendly description and an Allow/Skip toggle per scope
  4. Business selection: if you have multiple BMs, pick which to share with Wevion
  5. Continue: returns to Wevion

Last updated: 2026-05-17