Integration
Growcita + Meta
The Paid Media and Organic Social agents connect directly to Facebook, Instagram, and Meta Ads via Meta's OAuth so they can read campaign and content performance, publish approved posts, and execute approved ad changes — all under the autonomy level and guardrails you configure.
Meta App Review in progress — developer / tester access only until approval lands.
What the integration does
Once you connect your Facebook account, Growcita uses the Facebook Marketing API and Instagram Graph API to power these features:
- Ads performance reporting: Pull spend, impressions, reach, clicks, conversions, ROAS, and CPA across your Meta ad accounts, campaigns, ad sets, and ads. Surface the data on the Paid Media dashboard.
- Approved campaign edits: Create paused campaigns and ad sets, adjust budgets within your daily-change guardrail, pause underperformers, and update ad copy and creative.
- Custom and Lookalike audiences: Build and update audiences on the connected ad account — with explicit user consent for any first-party audience uploads.
- Organic Facebook Page posts: Publish or schedule approved posts to the Facebook Pages you manage, using the page-scoped access tokens Meta returns alongside your user token.
- Organic Instagram posts: Publish approved photo and video posts to the Instagram Business accounts linked to your Pages, and read post insights for performance reporting.
- Instagram comments inbox: Read, reply to, hide, and delete comments on media owned by the connected Instagram Business account — only when the community-management agent is explicitly enabled.
New ad campaigns are always created in PAUSEDstate. Enabling a campaign requires a human approval action — the agent cannot flip a campaign live on its own.
Data we read
- · Ad accounts you have access to (id, name, currency)
- · Campaigns, ad sets, ads, audiences, and creatives
- · Spend, impressions, reach, clicks, conversions, ROAS, CPA
- · Facebook Pages you manage (id, name, page-scoped token)
- · Instagram Business accounts linked to those Pages
- · Public post and reel insights for connected IG accounts
- · Comments on media owned by the connected IG account
Data we write
- · Create campaigns and ad sets (always paused)
- · Adjust budgets (gated by your max-daily-change %)
- · Pause / resume campaigns and ad sets
- · Create or update Custom and Lookalike audiences
- · Publish approved posts to Facebook Pages
- · Publish approved photos and videos to Instagram
- · Reply to, hide, or delete IG comments on your media
Every write passes through autonomy, budget, guardrail, and approval gates before reaching the Meta APIs.
OAuth scopes we request
When you click “Connect Meta” in your Growcita dashboard, we redirect you to Facebook's consent screen and request only the scopes required to deliver the features you signed up for. Each scope below must be individually approved through Meta App Review before non-developer users can complete the flow.
| Scope | Why we need it |
|---|---|
| ads_management | Required to create, edit, pause, and resume campaigns, ad sets, and ads, plus to manage Custom and Lookalike audiences. |
| ads_read | Read spend, impressions, conversions, ROAS, and other performance metrics for the Paid Media dashboard. |
| business_management | Enumerate the Meta Business accounts you belong to so we can attach the right ad accounts and Pages to your Growcita workspace. |
| pages_show_list | List the Facebook Pages you manage so you can pick which ones Growcita should publish to or read insights from. |
| pages_read_engagement | Read post engagement on Pages you manage so the Organic Social agent can report on content performance. |
| pages_manage_posts | Required so the page-scoped tokens returned by /me/accountscan publish to the Page's feed. Without this scope, organic Page posts fail with a permissions error. |
| instagram_basic | Read the Instagram Business accounts linked to your Pages (id, username, follower count) for the picker UI. |
| instagram_content_publish | Required to publish photos and videos to connected Instagram Business accounts via the IG Graph API. |
| instagram_manage_insights | Read post and reel insights for the Instagram accounts you publish to, so the Organic Social agent can report on performance. |
| instagram_manage_comments | List, reply to, hide, and delete comments on media owned by the connected Instagram Business account — only used when the community-management agent is enabled. |
We only request scopes for features you intend to use. If you decline a scope at the consent screen, Growcita skips the features that depend on it rather than failing the connection.
Meta Platform Terms commitment
Growcita's use of Platform Data received from Meta adheres to the Meta Platform Terms and the Developer Policies.
- No selling Platform Data. We do not sell, license, or share Meta Platform Data with data brokers, advertising networks, or other unrelated third parties.
- No model training. We do not use Meta Platform Data to train generalized AI models. The only models that ever see your data are the per-session agent invocations that produce the outputs you requested.
- Purpose limitation. We use Meta Platform Data only to deliver the features described on this page and elsewhere in the Growcita product.
- Retention.When you disconnect, the encrypted access token is deleted from our database within 24 hours. Cached performance data and dashboards are deleted within 30 days on request — or sooner via the in-app delete flow.
How we secure your data
- Encrypted tokens. Meta long-lived user tokens and page-scoped tokens are stored in our Supabase Postgres database encrypted at rest. Access tokens are never written to disk in plaintext.
- Silent refresh. Meta's ~60-day long-lived tokens self-refresh via the
fb_exchange_tokengrant. We re-mint tokens before they expire so you never see surprise disconnections. - TLS in transit. All requests to Meta APIs and between Growcita services use TLS 1.2 or higher.
- Scoped service identity. Workers run with least-privilege service accounts and can only access the credentials of the user whose task they are processing.
- Audit log on every write. Every Meta write is recorded in our internal
tool_executionstable with the tool name, input size, duration, and outcome. Paid-media writes also snapshot pre/post campaign state for guardrail evaluation. - Guardrails before every write. See our security disclosure policy for vulnerability reporting and the features page for autonomy levels and human-approval gates.
Revoke access at any time
You can revoke Growcita's access to your Meta data instantly:
- 1. Go to Settings → Business Integrations on Facebook
- 2. Find “Growcita” and click Remove
- 3. Or, sign in to Growcita and disconnect from the Integrations page
Delete stored Meta data
Disconnecting deletes the encrypted access tokens from our database. To delete cached performance data and dashboards as well, follow the Data Deletion Instructions, or email privacy@growcita.com. Requests are processed within 30 days.
Independent third party
Growcita is an independent third-party application built on the Meta Marketing API and Instagram Graph API. We are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc. “Facebook”, “Instagram”, and “Meta” are trademarks of Meta Platforms, Inc.
Ready to connect?
Sign in to Growcita and connect your Facebook account in two clicks. You stay in control of which Pages, Instagram accounts, and ad accounts the agents can touch.