Scope & Permission Details
This page documents all OAuth scopes/permissions requested by the FlyWhale demo, the corresponding UI actions, API endpoints called, and data retrieved.
Meta Graph API Permissions
| Permission | UI Action | API Endpoint | Data Retrieved |
|---|---|---|---|
pages_show_listRequired | Discover Accounts | GET /me/accounts | Facebook Page IDs, names, and linked Instagram Business accounts |
pages_read_engagementRequired | View Page Stats | GET /{page-id} | Page engagement metrics and statistics |
instagram_basicRequired | View IG Profile & Media | GET /{ig-user-id} & GET /{ig-user-id}/media | Instagram username, profile picture, followers count, media list with captions |
instagram_manage_insightsRequired | View IG Insights | GET /{ig-user-id}/insights & GET /{ig-media-id}/insights | Account reach, impressions, profile views; per-post engagement metrics |
ads_readRequired | View Ad Performance | GET /act_{ad-account-id}/insights | Ad account impressions, reach, spend, clicks, CPM, CPC, CTR |
TikTok API Permissions
| Permission | OAuth Flow | UI Action | API Endpoint | Data Retrieved |
|---|---|---|---|---|
user.info.basicRequired | Login Kit | View Profile | GET /v2/user/info/ | Display name, avatar URL, bio, follower/following counts, likes count, verification status |
video.listRequired | Login Kit | View Videos | POST /v2/video/list/ | Video IDs, titles, descriptions, cover images, view/like/comment/share counts |
research.adlib.basicRequired | Login Kit | Search Ad Library | POST /v2/research/adlib/ad/query/ & /report/ | Public ad information: advertiser name, impressions range, spend range, targeting |
Business API AccessOptional | Business API | View Own Ads | /open_api/v1.3/advertiser/info/ & /report/integrated/get/ | Own advertiser accounts, ad performance metrics, spend data |
Data Handling
Token Storage
OAuth tokens are encrypted using AES-256-GCM before storage in Supabase. Tokens are session-scoped and automatically deleted when the demo is reset.
Data Retention
API response data is displayed in real-time and not permanently stored. Connected account information is cached for the duration of the demo session.
Demo Reset
The "Reset Demo" button deletes all stored tokens, connected accounts, and session data from the database.