Bring your own Meta key

Why use your own key

Your Business Manager, your ad accounts, your token. Bringing your own key means the credentials AdscendiX uses to talk to Meta belong to you — issued from your account, scoped to the assets you choose, and revocable from your end at any time without going through us.

Same dashboard, same AI insights, same ad publishing — but the line of trust runs straight from Meta to you. Some owners prefer this for compliance, multi-agency setups, or simply because they like having one less middleman in the auth chain.

Before you start (both paths)

• You manage your Pages and ad accounts under a Meta Business Manager at business.facebook.com . You own (or admin) the Pages and at least one ad account.
• You have at least one Meta app at developers.facebook.com/apps . Both paths use this app to issue the token against. If you don’t have one: click Create App → pick Other for use case → pick Business for type → name it whatever (“AdscendiX BYOK” is fine). Takes 2 minutes. No app review required.
• Your AdscendiX account exists — sign up first at /signup if you haven’t already.

1 Generate a token in Graph API Explorer

1. Open Graph API Explorer .
2. In the right panel, set Meta App to your app (the one from the prereqs).
3. Click the Permissions dropdown and tick all of these:

   Ad campaign management:

   • ads_read
   • ads_management
   • business_management

   Pages + Instagram analytics:

   • pages_show_list
   • pages_read_engagement
   • pages_read_user_content
   • read_insights
   • instagram_basic
   • instagram_manage_insights

   Publishing posts (Publish Hub — Facebook & Instagram):

   • pages_manage_posts
   • instagram_content_publish
4. Click Generate Access Token. A Meta popup appears — click Continue on each permission screen. (If popups are blocked, allow popups for developers.facebook.com and retry.)
5. The token now shows at the top of Graph API Explorer. Don’t close the tab yet — you’ll extend it in the next step.

2 Extend it to a 60-day token

The token Graph API Explorer just gave you is short-lived (1–2 hours). Extending it gives you a ~60-day token that AdscendiX can keep using.

1. In Graph API Explorer, click the small information icon (i) next to your token at the top of the page.
2. Click Open in Access Token Tool. A new tab opens with token diagnostics.
3. Scroll to the bottom and click Extend Access Token. You may need to enter your Facebook password.
4. A new long-lived token appears at the bottom of the page. Copy it — that’s the one you paste into AdscendiX.

3 Paste it into AdscendiX

1. Open Dashboard → Account.
2. Scroll to Bring your own Meta key and click Add System User token. (Button name is historical — it accepts any valid Meta token.)
3. Paste the long-lived token from step 2. Leave Business ID blank.
4. Click Validate & Save. AdscendiX checks the token with Meta (calls /me, /debug_token, /me/adaccounts) and encrypts before storing.

4 Wire your assets to each brand

After save, the wizard walks you through the assets your token surfaces — Pages first, then ad accounts. Each AdscendiX brand can hold one Page (which auto-links its connected Instagram account) and one ad account.

1. Pick a brand from the dropdown.
2. Pick the Page that belongs to it. Linked Instagram comes along automatically.
3. Pick the ad account that belongs to it.
4. Click Assign. The brand’s dashboard now pulls live data from all three.

Got multiple brands? Repeat for each one. You can always come back to Account later to reshuffle.

When the token expires (~60 days)

AdscendiX will email you a heads-up a week before expiration. When that happens:

1. Repeat step 1 (Generate Access Token).
2. Repeat step 2 (Extend to 60-day).
3. Repeat step 3 (Paste into AdscendiX). The same Meta identity is detected — the new token replaces the old in place. No brand re-wiring needed.

Tired of renewing? Upgrade to the Long-lived path (below) once you’re past the initial setup.

Extra prereqs (on top of the common ones above)

• You have Admin access on your Business Manager (not Employee). Check at Business Settings → People — your role next to your name must say Admin.
• Two-factor authentication is enabled on the personal Meta account you log in with. Turn it on at Accounts Center → Password and security .
• Some Business Managers require Business Verification before System User creation. If your Add button is greyed out and the first two prereqs are met, this is likely the cause.

A Create a System User in Business Manager

1. Open Business Settings → Users → System Users .
2. Click Add. Name it something memorable like “AdscendiX integration” so you can find it later.
3. Set the role to Admin. (Employee role works for read-only analytics, but ad publishing needs Admin.)

B Assign your Pages and ad account(s)

Your System User needs access to everything AdscendiX will read or write — Pages, ad accounts, and any Instagram business accounts linked to those Pages.

1. Click the System User you just created. In the right panel, click Add Assets.
2. Pages — pick every Facebook Page you want to manage. Toggle on Manage Page for full access. Connected Instagram business accounts come along for free.
3. Ad Accounts — pick every ad account you want AdscendiX to run campaigns through. Toggle on Manage campaigns and View performance for each.
4. Click Save Changes.

C Generate the token

1. On the System User detail page, click Generate New Token.
2. Pick the Meta app to issue against — this is the app from the common prereqs. If the dropdown is empty, you skipped that — go create an app at developers.facebook.com/apps first.
3. Select the same nine scopes listed in Quick path step 1.
4. Set token expiration to Never (this is the whole point of the Long-lived path).
5. Click Generate Token. Copy the token immediately — Meta only shows it once, and you can’t recover it. (You can always generate a new one if you lose it.)

D Paste it into AdscendiX

Same as Quick path step 3. If you already had a token in AdscendiX (from the Quick path), it’s replaced in place — the System User token now takes over and your brand wiring stays untouched.

Revoking the token

You can pull the token out at any time. Two surfaces, depending on path:

• From AdscendiX (both paths): Account → Meta connections → the BYOK row → Remove. This clears the token from our database and disconnects any brands that were using it.
• Quick path — revoke at Meta: Accounts Center → Apps and websites → find your Meta app → Remove. This kills the User Access Token immediately.
• Long-lived path — revoke at Meta: Business Settings → Users → System Users → your integration user → Generated Tokens → Delete.

How we store the token

• The token is encrypted with AES-256-GCM the moment it reaches our server. The encryption key lives in Google Secret Manager — it isn’t in any source file.
• The browser never holds the token after you paste. Every read goes through a Cloud Function that decrypts in memory and never returns the raw token to the client.
• Stored under your user record with source: “byok-system-user” alongside any OAuth connections. The two paths share zero state — replacing one doesn’t affect the other.
• We do not ship the token to third-party AI services. AI features see only aggregated, non-identifying metrics (per our Privacy Policy).

Troubleshooting

“The Add button on the System Users page is grayed out.”

Three causes, in order of likelihood. (1) You're Employee, not Admin — only Admins can create System Users. Check at Business Settings → People. (2) Two-factor auth isn't enabled on your personal Meta account — Meta silently disables this for accounts without 2FA. Turn it on at Accounts Center → Password and security. (3) Your Business Manager needs to complete Business Verification — start at Business Settings → Security Center. Or skip the whole thing and use the Quick path above — it doesn't need any of these.

“The Meta app dropdown is empty when I try to generate a token.”

You don't have any Meta apps yet. Go to developers.facebook.com/apps → Create App → pick Other → pick Business → name it. No app review needed for either path's token. Come back and your new app will appear in the dropdown.

“Extend Access Token doesn't appear / does nothing in the debugger.”

The token is already older than ~2 hours and Meta won't extend it. Regenerate in Graph API Explorer and click Extend within a couple minutes.

“Token accepted, but no ad accounts are visible.”

Either (a) the token's account has no ad accounts assigned (System User path: go back to step B, add ad accounts, then re-paste), or (b) you forgot to tick ads_read when generating. Easy way to check: visit https://developers.facebook.com/tools/debug/accesstoken/, paste the token, look at the Scopes line.

“Missing scope ads_management.”

Regenerate the token and make sure ads_management is checked. Graph API Explorer sometimes resets scope picks when you change apps mid-flow.

“Token validation failed with code 190.”

The token was revoked or expired. Regenerate and re-paste — the BYOK record updates in place.

I want to upgrade from Quick path to Long-lived

Go through the Long-lived path steps. When you paste the new System User token, AdscendiX detects the same identity and replaces the old token in place. Brand wirings stay untouched.

I want to move from BYOK back to OAuth

Remove the BYOK token from Account → Meta connections, then use the standard Connect to Meta button on any brand. The two flows can also coexist — some brands on BYOK, others on OAuth.

Can a team member use the owner's BYOK token?

Yes — guest seats on your workspace transparently route through a server proxy that holds the owner's token. Guests never see or download the token; they just see the brand data as if they were logged in as the owner.