Meta OAuth — required permissions explained
The Meta permissions Wevion requests, grouped by purpose: managing campaigns, reading performance/insights, and handling account/asset (Pages, Instagram, catalogs, Business Manager). Each scope is documented with what it grants and why.
Written By Salvatore Sinigaglia
Last updated About 5 hours ago
The Meta permissions Wevion requests, grouped by purpose: managing campaigns, reading performance/insights, and handling account/asset (Pages, Instagram, catalogs, Business Manager). Each scope is documented with what it grants and why.
Meta OAuth — required permissions explained
When you connect Meta, Wevion requests a set of scopes from Facebook so it can read and manage your ads, Pages, Instagram placements, catalogs, and Business Manager assets. This article lists exactly which scopes Wevion requests and why. No friend list, no posting on your behalf.
Who is this for
Mediabuyers reviewing the OAuth consent screen, security-minded admins approving Wevion before connecting, anyone audit-reviewing data access.
The scopes Wevion requests
The authoritative list comes from apps/backend/src/providers/meta/core/constants.ts (META_SCOPES):
const META_SCOPES = [ 'email', 'ads_management', 'ads_read', 'instagram_basic', 'pages_manage_ads', 'pages_read_engagement', 'pages_show_list', 'catalog_management', 'read_insights', 'business_management',]The OAuth dialog you see at Facebook lists these scopes. If the consent screen shows a scope that is not in this list, stop — it's a bug or a phishing attempt mimicking Wevion.
To make the list easy to reason about, the scopes fall into three functional groups — this is the minimum Wevion needs to do its job, nothing more:
- Manage campaigns (
ads_management,pages_manage_ads) — create, edit, pause, and launch campaigns and Page-linked ads on the ad accounts you can access. - Read performance / insights (
ads_read,read_insights) — pull impressions, clicks, conversions, spend, and Page/ads metrics for analytics and reporting. - Manage accounts & assets (
business_management,pages_read_engagement,pages_show_list,instagram_basic,catalog_management,email) — discover and import your Business Manager ad accounts, Pages, linked Instagram accounts, and product catalogs in a single flow, and identify the connecting account.
Wevion asks only for what an ad-management tool needs to run your campaigns and report on them — no friend list, no posting on your behalf, no private messages. The per-scope detail below explains exactly what each grants.
What each scope does
1. ads_management
Grants: read and write access to ad accounts the user can access in Business Manager:
- View campaigns, ad sets, ads, creatives, audiences, custom audiences
- Create new campaigns, ad sets, ads
- Pause / resume / archive campaigns
- Edit budgets, audiences, schedules
- View ad insights (impressions, clicks, conversions, spend)
- Manage custom audiences and lookalike audiences
Why Wevion needs it: this is the core. Without ads_management, Wevion cannot do anything useful — no analytics, no launches, no rules, no automation. Every campaign-related action in Wevion is backed by this scope.
2. pages_read_engagement
Grants: read-only access to Facebook Pages you manage:
- List of Pages the user has roles on
- Page insights and engagement metrics (likes, comments, post performance)
- Page metadata (name, category, profile image)
- Linked Instagram accounts (via Page)
Does NOT grant: ability to post on the Page, edit Page settings, message users, read private messages.
Why Wevion needs it: to enable Page-as-source ads — ads that use your Page's voice/branding instead of an unbranded creative. Also required to surface Instagram placements (since Instagram accounts are linked through Facebook Pages).
3. business_management
Grants: access to Business Manager objects:
- List of Business Managers the user has roles on
- Ad accounts owned by each BM
- Pages owned by each BM
- Catalogs and Pixels associated with each BM
- BM-level users and their roles
Why Wevion needs it: lets you authorize once and import all your BM-managed ad accounts + Pages in a single flow. Without business_management, you'd have to OAuth each BM separately.
4. ads_read
Grants: read-only access to ad account performance and insights.
Why Wevion needs it: powers analytics and reporting even where write access isn't used; complements ads_management for read-heavy surfaces.
5. instagram_basic
Grants: read basic profile data for the Instagram accounts linked to your Pages (username, id, media metadata).
Why Wevion needs it: to surface Instagram placements and the linked IG account when you build ads from a Page.
6. pages_manage_ads
Grants: create and manage ads associated with the Pages you manage.
Why Wevion needs it: to launch Page-as-source ads and Page-linked Instagram ads on your behalf.
7. pages_show_list
Grants: list of Facebook Pages the user has a role on.
Why Wevion needs it: to populate the Pages picker at /connect/meta so you can choose which Pages to import.
8. catalog_management
Grants: read and manage the product catalogs associated with your Business Managers.
Why Wevion needs it: to support catalog-based (dynamic/collection) ads that pull products from a Meta catalog.
9. read_insights
Grants: read Page-level and ads insights metrics.
Why Wevion needs it: additional reporting depth on top of the ads-level insights.
What Wevion does NOT request
Wevion does not request:
public_profilebeyond the OAuth identifier — no photo/friend-facing profile datauser_friends— no friend listpublish_to_groups/publish_pages— no posting on your behalfinstagram_content_publish— Wevion reads Instagram via Page link and manages IG ads, but does not publish organic IG contentwhatsapp_business_management— no WhatsApp scope is requested; Wevion does not manage WhatsApp Business messaging or WhatsApp-specific ad flows
If Facebook's consent screen ever shows a scope NOT in the requested list above, stop and report — it's a bug or a phishing attempt mimicking Wevion.
The OAuth dialog walkthrough
When you click Connect in meta-101, the popup shows:
- Login: enter your Facebook credentials
- Welcome / continue as [your name]: confirms your Facebook identity
- App permissions screen: lists each scope Wevion requests with a Facebook-friendly description and an Allow/Skip toggle per scope
- You can deny
pages_read_engagementorbusiness_management— but then Wevion will be missing functionality. Best to allow all. - You cannot deny
ads_management— Wevion won't be functional without it
- You can deny
- Business selection: if you have multiple BMs, pick which to share with Wevion
- Continue: returns to Wevion
Permissions per role
Some scopes implicitly require Facebook-level permissions:
If your Facebook user has only Analyst role on an ad account, Wevion can READ that account but NOT launch campaigns. UI shows "read-only" badge in such cases.
Token expiry and refresh
Long-lived user tokens expire per Meta policy. A background job refreshes tokens due to expire within 7 days. See meta-107 token health.
How to audit what Wevion accesses
You can review and revoke at any time:
- Facebook: Settings & Privacy → Settings → Apps and Websites → Active → look for "Wevion" → Remove
- Business Manager: BM Settings → Apps → look for Wevion → Remove or restrict
Revoking from Facebook side immediately invalidates Wevion's token; your Wevion workspace shows the Meta connector as Disconnected (yellow card → Reconnect button).
Privacy and compliance
- Wevion processes Meta data as a processor under GDPR (you = controller)
- Standard DPA covers transfer to processors (Stripe, AWS, etc.)
- See
wevion.ai/legal/dpafor full Data Processing Agreement (Enterprise customers can negotiate amendments) - Meta-side privacy: Facebook's standard data sharing terms apply at consent time
Common questions
- Why can't I deny
ads_management? Wevion is an ad management tool; without ad write access there's nothing it can do for you. Choose a different tool if you don't want to grant this scope. - Can I scope to specific BMs? Yes, in the Facebook OAuth dialog. Wevion only sees BMs you share.
- What if I change my Facebook password? Token may auto-refresh OK or may force reconnect. See meta-107.
- Does Wevion store my Facebook password? No — never. Only the OAuth access token.
- Can other Wevion teammates see my Meta token? No. The token is workspace-scoped and only accessible to backend services for API calls on the workspace's behalf.
FAQ
What Meta permissions does Wevion request?
Wevion requests the META_SCOPES set from the backend code: email, ads_management, ads_read, instagram_basic, pages_manage_ads, pages_read_engagement, pages_show_list, catalog_management, read_insights, and business_management. These cover reading and managing ads, Pages, linked Instagram, catalogs, and Business Manager assets. The OAuth dialog at Facebook lists these scopes; if the consent screen shows any scope outside this list, stop — it's a bug or a phishing attempt mimicking Wevion.
Can I deny some of the Meta permissions Wevion asks for?
You can deny page- or business-related scopes in the Facebook OAuth dialog, but Wevion will then be missing functionality like Page-as-source ads or single-flow Business Manager import. You cannot deny ads_management — Wevion is an ad-management tool and cannot do anything useful without ad write access. Best practice is to allow the full requested set.
Does Wevion store my Facebook password?
No, never. Wevion stores only the OAuth access token in the meta_token table. It never sees or keeps your Facebook password. Long-lived user tokens expire per Meta policy and a background job refreshes them before expiry, so you rarely need to reconnect manually.
How do I revoke Wevion's access to my Meta account?
You can revoke at any time from Facebook (Settings & Privacy → Settings → Apps and Websites → Active → Wevion → Remove) or from Business Manager (BM Settings → Apps → Wevion → Remove). Revoking from the Facebook side immediately invalidates Wevion's token, and your Wevion workspace shows the Meta connector as Disconnected.
Can other Wevion teammates see my Meta token?
No. Your Meta token is workspace-scoped and only accessible to backend services making API calls on the workspace's behalf. It is never exposed to other teammates, and Wevion processes Meta data as a processor under GDPR while you remain the controller.
Steps
- Login: enter your Facebook credentials
- Welcome / continue as [your name]: confirms your Facebook identity
- App permissions screen: lists each scope Wevion requests with a Facebook-friendly description and an Allow/Skip toggle per scope
- Business selection: if you have multiple BMs, pick which to share with Wevion
- Continue: returns to Wevion
Last updated: 2026-05-17