What is Instagram Private Reply API and How to Use It

Understand Instagram Private Reply API and how it enables automated DM responses to comments. Technical overview and practical implementation.

Understanding the Instagram Private Reply API

The Instagram Private Reply API is a feature within the Instagram Graph API that allows businesses and creators to send direct messages in response to public comments on their posts and reels. When someone comments on your content, the Private Reply API enables your application or automation tool to send them a personalized DM — automatically and programmatically.

This is the backbone of Instagram DM automation. Every tool that offers “auto DM when someone comments a keyword” relies on the Private Reply API (or its equivalent endpoints) under the hood. Understanding how it works helps you choose better tools, troubleshoot issues, and potentially build custom integrations.

How the Private Reply API Works

At a high level, the flow works like this:

A user comments on your Instagram post or reel
Instagram’s webhook system sends a notification to your connected application
Your application checks if the comment matches your defined criteria (keywords, post ID, etc.)
If it matches, your application sends a POST request to the API with the comment ID and your message
Instagram delivers the message as a DM to the commenting user
The user receives the DM in their Instagram inbox

The entire process happens in milliseconds. From the user’s perspective, they comment a keyword and instantly receive a DM — it feels nearly simultaneous.

Key Terminology

Before diving deeper, let’s clarify the important terms:

Instagram Graph API

Meta’s primary API for Instagram, used for accessing and managing Instagram Business and Creator accounts. All official Instagram integrations use this API. It replaced the older Instagram Basic Display API and Instagram API Platform.

Private Reply

The specific API capability that sends a DM in response to a public comment. The “private” refers to the DM being a private message (not a public reply), not that the API itself is private or restricted.

Webhook

A mechanism where Instagram proactively notifies your application when a specific event occurs (like a new comment), rather than your application constantly polling Instagram to check. Webhooks enable real-time automation.

Access Token

A credential that authenticates your application’s requests to the Instagram Graph API. Different permissions (scopes) grant access to different capabilities.

Comment ID

A unique identifier for every Instagram comment. You need this ID to use the Private Reply API — it tells Instagram exactly which comment to reply to.

Technical Architecture

Here’s a more detailed look at the technical flow:

1. Webhook Registration

First, you register your application to receive webhook notifications from Instagram. You subscribe to the comments field within the instagram webhook product. This tells Meta: “Whenever a comment is posted or updated, send me a notification.”

The webhook payload for a new comment looks something like this:

{
  "entry": [{
    "changes": [{
      "field": "comments",
      "value": {
        "id": "17895695668004550",
        "text": "LINK",
        "media": {
          "id": "18012345678901234",
          "media_product_type": "FEED"
        },
        "from": {
          "id": "17841405793059018",
          "username": "example_user"
        },
        "timestamp": "2026-05-10T14:30:00+0000"
      }
    }]
  }]
}

2. Comment Processing

Your application receives the webhook, extracts the comment text and user information, and evaluates it against your automation rules:

Does the comment text match a keyword trigger?
Is the post ID in the list of posts you want to automate?
Has this user already received an automated reply recently?
Does the comment contain any negative keywords that should be excluded?

3. Sending the Private Reply

If the comment passes your rules, your application sends a POST request to the Private Reply endpoint:

POST https://graph.facebook.com/v19.0/{ig-comment-id}/replies

With parameters:

message: The text of your DM
access_token: Your authenticated access token

The API responds with a message ID confirming the DM was sent:

{
  "id": "aWdfZAG1pbmdfaWdfZAG1pbmdfaWdfZAG1"
}

4. Rate Limiting and Error Handling

Instagram enforces rate limits on API requests. Your application must handle:

429 Too Many Requests: Back off and retry after the specified window
400 Bad Request: Check your payload formatting
403 Forbidden: Validate your access token permissions
10 error code: The user has restricted who can message them

Required Permissions and Setup

To use the Private Reply API, your application needs:

Required Scopes

instagram_basic — Access basic profile information
instagram_manage_messages — Send and receive messages
instagram_manage_comments — Access and manage comments
pages_read_engagement — Read Page data
pages_show_list — Show list of Pages
pages_messaging — Manage Page messaging

Account Requirements

The Instagram account must be a Business or Creator account
It must be connected to a Facebook Page
The Facebook Page must be linked to the application
The user (you) must have the appropriate role on the Page (Admin, Editor, or Moderator)

App Review

If you’re building a custom application that will serve multiple Instagram accounts, you’ll need to submit your app for Meta’s App Review, which includes explaining how you use the Private Reply data and demonstrating compliant usage.

Practical Implementation Examples

Sending a Simple Private Reply (cURL)

curl -X POST \
  "https://graph.facebook.com/v19.0/{comment-id}/replies" \
  -d "message=Hey! Thanks for commenting. Here's the link you asked for: https://example.com" \
  -d "access_token={your-access-token}"

Sending a Private Reply with Python

import requests

def send_private_reply(comment_id, message, access_token):
    url = f"https://graph.facebook.com/v19.0/`{comment_id}`/replies"
    params = {
        "message": message,
        "access_token": access_token
    }
    
    response = requests.post(url, data=params)
    
    if response.status_code == 200:
        return response.json()
    else:
        raise Exception(f"API Error: {response.status_code} - {response.text}")

# Usage
reply = send_private_reply(
    comment_id="17895695668004550",
    message="Thanks for your interest! Here's the link: https://example.com",
    access_token="YOUR_ACCESS_TOKEN"
)

Webhook Handler Example (Node.js)

const express = require('express');
const axios = require('axios');
const app = express();

app.post('/webhook', express.json(), async (req, res) => {
  const { entry } = req.body;
  
  for (const pageEntry of entry) {
    for (const change of pageEntry.changes) {
      if (change.field !== 'comments') continue;
      
      const comment = change.value;
      const commentId = comment.id;
      const commentText = comment.text.toLowerCase().trim();
      const accessToken = process.env.PAGE_ACCESS_TOKEN;
      
      // Keyword matching logic
      const triggers = ['link', 'price', 'info', 'more'];
      const exclusions = ['scam', 'fake', 'spam'];
      
      const shouldTrigger = triggers.some(t => commentText.includes(t));
      const shouldExclude = exclusions.some(e => commentText.includes(e));
      
      if (shouldTrigger && !shouldExclude) {
        try {
          await axios.post(
            `https://graph.facebook.com/v19.0/$`{commentId}`/replies`,
            null,
            {
              params: {
                message: `Hey! Thanks for your comment. Here's what you asked for: https://example.com`,
                access_token: accessToken
              }
            }
          );
          console.log(`Private reply sent for comment ${commentId}`);
        } catch (error) {
          console.error(`Failed to send reply: ${error.response?.data || error.message}`);
        }
      }
    }
  }
  
  res.sendStatus(200);
});

// Verification endpoint for webhook setup
app.get('/webhook', (req, res) => {
  const mode = req.query['hub.mode'];
  const token = req.query['hub.verify_token'];
  const challenge = req.query['hub.challenge'];
  
  if (mode === 'subscribe' && token === process.env.VERIFY_TOKEN) {
    res.status(200).send(challenge);
  } else {
    res.sendStatus(403);
  }
});

app.listen(3000, () => console.log('Webhook server running on port 3000'));

Private Reply vs. Public Reply

The Private Reply API specifically enables DM-based responses. Instagram also supports public comment replies through a separate endpoint. Here’s when to use each:

Private Reply (DM)

Sending links, downloads, or resources
Sharing pricing or sensitive information
Starting a private conversation
Building a 1:1 relationship
Delivering lead magnets

Public Reply (Comment)

Acknowledging a comment (“Thanks!”)
Answering a question that benefits other readers
Showing social proof of responsiveness
Community building and public conversations

Many businesses use both: a public reply thanking the user for the comment, followed by a private reply with the promised resource or link.

Limitations of the Private Reply API

Understanding what the API can and cannot do helps set realistic expectations:

What It Can Do

Send a DM in response to any comment on your posts or reels
Include links, emojis, and formatted text in DMs
Send different messages to different users based on their comment content
Work with both feed posts and reels

What It Cannot Do

Reply to comments on other people’s posts: The API only works on your own content
Send DMs to users who haven’t commented: You need a comment as the trigger
Reply to Story replies: Story interactions use different webhook events
Send attachments directly: While some API versions support media messages, limitations exist
Bypass rate limits: All accounts are subject to Instagram’s messaging limits

Rate Limits

Instagram imposes per-user rate limits that vary by account
Newer accounts have stricter limits (20-50 DMs/day)
Established business accounts typically handle 100-200+ API-initiated DMs/day
Exceeding limits results in temporary blocks (usually hours, not days)
Rate limits apply to the account, not the API key — using multiple keys doesn’t increase your limit

Choosing Between Building and Buying

You have two paths for implementing Private Reply API automation:

Build Your Own Integration

Pros:

Complete control over logic and customization
No monthly subscription costs (beyond hosting)
Deep integration with your existing systems
No data sharing with third parties

Cons:

Significant development time (weeks to months)
Ongoing maintenance (API changes, bug fixes)
Must handle rate limiting, error handling, retries
Requires Meta App Review for multi-account usage
Need to manage webhook infrastructure

Use an Existing Platform

Pros:

Ready in minutes, not months
Regular updates and API maintenance handled for you
Visual builders and pre-built templates
Built-in analytics and reporting
Team collaboration features

Cons:

Monthly subscription costs
Less customization flexibility
Data flows through a third party
Dependent on their uptime and roadmap

For most businesses, using an existing platform makes more sense. Building custom integration is justifiable only when you have unique requirements that off-the-shelf tools can’t meet, or when you need deep integration with a proprietary system.

API Changes and Staying Current

Instagram’s API evolves regularly. Here’s how to stay current:

Follow Official Channels

Meta for Developers Blog: Announcements about API changes, deprecations, and new features
Instagram Developer Documentation: The canonical reference for endpoints and parameters
Meta Developer Community: Forums for troubleshooting and best practices

Version Management

Instagram Graph API is versioned. When a new version is released:

Your existing integrations continue working on the current version for ~2 years
New features are available only in the latest version
Plan migrations ahead of deprecation deadlines

Common Breaking Changes

Permission scope changes
Field deprecations
Rate limit adjustments
Webhook payload format changes
Authentication flow updates

If you’re building custom integrations, implement API version pinning and build automated tests that alert you when responses change.

Frequently Asked Questions

Do I need to be a developer to use the Private Reply API?

Not if you use a no-code automation platform like ManyChat or MobileMonkey. These tools handle the API integration for you and provide visual interfaces for building automation rules. You only need development skills if you’re building a custom integration from scratch.

Is the Private Reply API the same as the Messaging API?

They’re related but distinct. The Private Reply API specifically handles DM responses to comments. The broader Instagram Messaging API covers all DM functionality, including initiating conversations, managing message threads, and handling inbound messages.

Can I use the Private Reply API on personal Instagram accounts?

No. The Graph API (which includes Private Reply) requires a Business or Creator account connected to a Facebook Page. Personal accounts cannot access these endpoints.

What happens if my access token expires?

Instagram access tokens have limited lifespans. Short-lived tokens last about 1 hour. Long-lived tokens can last up to 60 days. Your integration needs to handle token refresh to maintain continuous automation. Most automation platforms handle this automatically.

Can I send rich media (images, videos) via Private Reply?

Limited support exists in newer API versions for sending media via DM, but it’s not universally available and has restrictions. For most use cases, text-based DMs with links are the reliable approach.

Security Best Practices

Token Security

Never expose access tokens in client-side code or public repositories
Store tokens in environment variables or secure secret management systems
Rotate tokens regularly when building custom integrations
Use the principle of least privilege when requesting scopes

Webhook Security

Validate webhook signatures to ensure requests originate from Meta
Implement the webhook verification challenge properly
Use HTTPS for your webhook endpoint
Log and monitor webhook traffic for anomalies

Data Handling

Only collect and store the Instagram data you actually need
Implement data retention policies (delete old comment data)
Comply with Meta’s Platform Terms and Developer Policies
Be transparent with users about automated messaging

The Bottom Line

The Instagram Private Reply API is a powerful tool that enables automated, programmatic DM responses to comments. For most businesses, the easiest path to leveraging it is through an existing automation platform. For developers building custom solutions, the API is well-documented and relatively straightforward to implement — provided you handle authentication, rate limiting, and error cases properly.

Understanding the API’s capabilities and limitations helps you build more effective automation, whether you’re using a no-code platform or writing your own integration from scratch. The key is staying within Meta’s guidelines, respecting user preferences, and using automation to enhance — not replace — genuine human connection.

For the compliance rules that govern this API, see our Instagram DM automation compliance guide.