For Meta Reviewers

Meta App Review Information

This page provides Meta App Review teams with all necessary information about InboxCore, including what it does, how data flows, and how to test the application.

1. What InboxCore Does

InboxCore is a shared inbox and CRM that enables businesses to manage customer conversations received via Instagram Direct Messages. Key capabilities:

  • Shared Inbox — Multiple team members view and respond to Instagram DMs from a single dashboard
  • Manual Replies — All replies are manually composed and sent by human agents. No automated messages are sent without human oversight.
  • CRM Integration — Conversations are linked to contact records for customer relationship management
  • Team Collaboration — Assign conversations to agents, add internal notes, track response metrics

2. Data Flow

OAuth Connection Flow

  1. User initiates Instagram connection from Dashboard Settings
  2. Redirect to Facebook OAuth dialog requesting:instagram_basic, instagram_manage_messages, pages_manage_metadata, pages_show_list
  3. Exchange authorization code for long-lived Page Access Token
  4. Subscribe the Page to webhook events (messages, messaging_postbacks, message_deletes)
  5. Store account info + encrypted token in database

Webhook Data Flow

  1. Meta sends POST to /api/webhooks/instagram with X-Hub-Signature-256 header
  2. Server verifies HMAC SHA-256 signature against App Secret (fail-closed)
  3. Message content (text, message ID, timestamp) stored in Supabase PostgreSQL
  4. Media files (images, video, audio) are never stored — displayed directly from Instagram CDN URLs
  5. Dashboard updates in real-time via Supabase Realtime

Data Storage & Retention

  • Database: Supabase (PostgreSQL) with Row-Level Security
  • Hosting: Vercel (Next.js)
  • Stored: Message text, timestamps, message IDs, participant usernames, Page Access Tokens (server-side only)
  • NOT stored: Media files, passwords, user credentials
  • Retention: Data retained while account is active. Deleted within 30 days of disconnection or deletion request.
  • Message deletion compliance: When a user deletes a message on Instagram, our webhook handler immediately removes it from our database.

3. Policy Pages

Privacy Policy/privacyTerms of Service/termsData Deletion Instructions/data-deletionContact/contact

4. Meta Dashboard Configuration Checklist

App Settings > Basic: App ID, App Secret, Privacy Policy URL, Terms of Service URL configured
App Settings > Basic: App Icon (1024x1024) uploaded
App Settings > Basic: Data Deletion URL configured
App Settings > Basic: Category set to 'Business and Utility'
Products > Messenger: Webhook URL set to /api/webhooks/instagram
Products > Messenger: Subscribed to messages, messaging_postbacks, message_deletes
Products > Messenger: Webhook Verify Token configured
App Review: Business Verification completed
App Review: Tech Provider Verification completed

5. Test Instructions

Test Credentials

URL: https://inboxcore.fr/login

Email: reviewer@inboxcore.fr

Password: [TO BE CONFIGURED]

Testing Steps

  1. Navigate to the login URL above and sign in with the test credentials
  2. Click "Instagram" in the left sidebar to open the DM inbox
  3. The inbox displays existing Instagram DM conversations with participant names and profile pictures
  4. Click on any conversation to view the full message thread
  5. Type a reply in the message composer at the bottom and click Send
  6. The reply is delivered to the customer on Instagram
  7. To test receiving a new message: Open Instagram on a second device, send a DM to the connected business account, and return to the dashboard — the message appears in real-time

Note: Reviewers can test from any country. No geographic restrictions apply. The test account has read and reply permissions only (non-admin).

6. Permissions Justification

instagram_basic

Required to identify the connected Instagram Business Account and display account information in the dashboard.

instagram_manage_messages

Required to receive incoming Instagram DMs via webhooks and send replies on behalf of the business. This is the core functionality of our shared inbox.

pages_manage_metadata

Required to subscribe the Facebook Page to webhook events (messages, message_deletes) so we can receive real-time notifications.

pages_show_list

Required to list the user's Facebook Pages during the OAuth connection flow, so we can identify which Page is linked to their Instagram Business Account.