Webhook setup required: Before using this trigger, configure a webhook subscription in the Meta Developer Console for your app. Set your BizFirst webhook endpoint URL, configure the verify_token, and subscribe to the Instagram topic fields you need (comments, messages, feed, mentions, story_insights, live_comments).
When to Use
- Real-time comment moderation: Subscribe to
comments events and trigger moderation workflows immediately when new comments appear on your posts — hiding spam, escalating sensitive content, or auto-responding to questions.
- Automated DM responder: Subscribe to
messages events to trigger instant acknowledgement workflows when users send your account a direct message, before routing to a support agent or CRM.
- Brand mention monitoring: Subscribe to
mentions events to detect when your account is tagged in posts or stories, triggering engagement workflows such as likes, comment responses, or CRM lead capture.
- Live stream engagement: Subscribe to
live_comments events during live broadcasts to power real-time audience interaction workflows — reading out comments, triggering animations, or moderation.
- Story performance alerts: Subscribe to
story_insights events to receive performance data when a story expires, triggering analytics ingestion and performance alert workflows.
- Feed activity workflows: Subscribe to
feed events to detect new post activity and automatically trigger social listening or cross-platform syndication workflows.
Configuration
Webhook Security
| Field | Required | Description |
verifyToken | Required | A secret string you define and configure in the Meta Developer Console. Used to verify webhook subscription handshake requests from Meta. |
appSecret | Optional | Your Meta app secret, used to validate HMAC-SHA256 webhook payload signatures. Not recommended for production — use appSecretVaultKey. |
appSecretVaultKey | Optional | BizFirst Credentials Manager key referencing the Meta app secret. Preferred over appSecret for security. One of appSecret or appSecretVaultKey is required. |
Event Filtering
| Field | Required | Description |
resource | Required | Must be trigger. |
operation | Required | Must be receive-event. |
eventTypes | Optional | Array (or JSON string) of event type names to process. If omitted, all event types are emitted. Supported values: comments, messages, story_insights, feed, mentions, live_comments. |
Signature validation is mandatory: Always configure appSecretVaultKey. Without signature validation, your webhook endpoint will accept forged payloads from any source. Meta signs every webhook delivery with an HMAC-SHA256 hash of the payload body using your app secret. The node rejects requests with an invalid or missing X-Hub-Signature-256 header.
Sample Configuration JSON
{
"resource": "trigger",
"operation": "receive-event",
"verifyToken": "{{ $env.IG_WEBHOOK_VERIFY_TOKEN }}",
"appSecretVaultKey": "meta_app_secret",
"eventTypes": ["comments", "messages", "mentions"]
}
Supported Event Types
| Event Type | Description | Required Permission |
comments | New comments on your media posts. Includes comment text and author. | instagram_manage_comments |
messages | Incoming direct messages to your account. Includes message text and sender PSID. | instagram_manage_messages |
feed | Activity on your posts — new posts, reactions, and other feed events. | instagram_basic |
mentions | When another account tags or mentions your account in a post or story. | instagram_manage_comments |
story_insights | Performance insights delivered when a story expires (after 24 hours). | instagram_manage_insights |
live_comments | Real-time comments posted during an active Instagram Live broadcast. | instagram_manage_comments |
Validation Errors
| Error | Cause |
verifyToken is required | verifyToken field is missing or empty. |
appSecret or appSecretVaultKey is required | Neither secret field is provided. Signature validation cannot proceed. |
invalid_signature | The X-Hub-Signature-256 header does not match the computed HMAC-SHA256 of the payload. Payload is rejected. |
verify_token_mismatch | The hub.verify_token query parameter in the subscription handshake does not match the configured verifyToken. |
Output
Success Port
| Field | Type | Description |
status | string | "success" |
eventType | string | The type of event received — one of comments, messages, story_insights, feed, mentions, live_comments. |
objectId | string | The Instagram object ID the event relates to (e.g. post ID, user ID, or media ID). |
field | string | The webhook field name that triggered the event (e.g. "comments", "messages"). |
value.mediaId | string | Media ID associated with the event (for comment/feed events). |
value.commentId | string | Comment ID (for comment events). |
value.messageId | string | Message ID (for message events). |
value.senderId | string | Page-Scoped ID (PSID) of the sender (for message events). |
value.text | string | Text content of the comment or message. |
value.timestamp | string | ISO 8601 timestamp of when the event occurred. |
value.additionalData | object | Additional event-specific fields not mapped to named properties (varies by event type). |
Error Port
| Field | Type | Description |
status | string | "error" |
errorCode | string | Error code — e.g. "invalid_signature", "verify_token_mismatch". |
errorMessage | string | Error description. |
Sample Output JSON
Comment event
{
"status": "success",
"eventType": "comments",
"objectId": "17841400000000000",
"field": "comments",
"value": {
"mediaId": "17855590000000001",
"commentId": "17858893000000002",
"messageId": null,
"senderId": null,
"text": "Love this product! Where can I buy it?",
"timestamp": "2026-01-15T14:32:00Z",
"additionalData": {}
}
}
Message event
{
"status": "success",
"eventType": "messages",
"objectId": "17841400000000000",
"field": "messages",
"value": {
"mediaId": null,
"commentId": null,
"messageId": "aWdfZAG9waW50ZAXJlY29yZABhc3NldABuYW1lAA==",
"senderId": "17858893300000001",
"text": "Hi! Do you ship internationally?",
"timestamp": "2026-01-15T14:35:22Z",
"additionalData": {}
}
}
Expression Reference
| Expression | Value |
{{ $output.instagram.eventType }} | Event type string |
{{ $output.instagram.objectId }} | Object ID the event relates to |
{{ $output.instagram.value.senderId }} | Sender PSID (for messages events) |
{{ $output.instagram.value.commentId }} | Comment ID (for comments events) |
{{ $output.instagram.value.text }} | Text content of the comment or message |
{{ $output.instagram.value.mediaId }} | Media ID associated with the event |
{{ $output.instagram.value.timestamp }} | Event timestamp (ISO 8601) |
Node Policies & GuardRails
- Always validate signatures: Configure
appSecretVaultKey without exception. Skipping signature validation exposes your workflow to forged webhook payloads that could trigger unintended automation.
- Respond within 20 seconds: Meta requires your webhook endpoint to return HTTP 200 within 20 seconds of receiving a delivery. If your workflow is complex, return 200 immediately and process asynchronously. Repeated timeouts will cause Meta to disable your webhook subscription.
- Handle duplicate deliveries: Meta may deliver the same webhook event more than once. Use the event's
value.messageId or value.commentId as an idempotency key and check for duplicates before processing.
- Filter event types explicitly: Always specify
eventTypes to process only what your workflow needs. Processing all event types indiscriminately increases processing load and may expose your workflow to event types it is not designed to handle safely.
- GDPR: Message content and sender IDs from
messages events are personal data. Do not persist full message text beyond operational necessity. Implement retention limits and honour deletion requests.
- Verify token rotation: The
verifyToken is used during webhook subscription verification. If you suspect it has been exposed, rotate it in both your Meta App configuration and your BizFirst workflow settings simultaneously to avoid breaking the subscription.
- Rate awareness: Instagram webhooks are subject to Meta's delivery rate limits. High-volume accounts (e.g. large follower counts) may generate burst comment or message events. Ensure your workflow can handle bursts without exceeding downstream API rate limits.
Meta Webhook Setup Checklist
- In the Meta Developer Console, go to your app's Webhooks settings.
- Add a new subscription for the Instagram object.
- Set the Callback URL to your BizFirst webhook endpoint URL.
- Set the Verify Token to match your configured
verifyToken.
- Subscribe to the fields matching your desired event types:
comments, messages, feed, mentions, story_insights, live_comments.
- Click Verify and Save — Meta will send a GET handshake request to your endpoint to verify the token.
- Ensure your Meta app has App Review approval for any sensitive permissions (
instagram_manage_messages, instagram_manage_insights).
Examples
Real-time comment auto-response trigger
{
"resource": "trigger",
"operation": "receive-event",
"verifyToken": "{{ $env.IG_WEBHOOK_VERIFY_TOKEN }}",
"appSecretVaultKey": "meta_app_secret",
"eventTypes": ["comments"]
}
// On success: route to comment moderation workflow
// Check value.text for keywords → reply, hide, or escalate to CRM
Triggered whenever a new comment is posted on any of your Instagram posts. The value.commentId and value.text are passed to a moderation node that checks for spam patterns or buying intent keywords before routing to the appropriate response workflow.
Automated DM acknowledgement and CRM routing
{
"resource": "trigger",
"operation": "receive-event",
"verifyToken": "{{ $env.IG_WEBHOOK_VERIFY_TOKEN }}",
"appSecretVaultKey": "meta_app_secret",
"eventTypes": ["messages"]
}
// value.senderId → used as recipientId in messaging/send for immediate ack
// value.text → passed to AI intent classifier to route to correct CRM queue
// value.timestamp → used as message deduplication key
Fires when any user sends a DM to the business account. The workflow immediately triggers a messaging/send acknowledgement using value.senderId as the recipientId, then creates a CRM ticket with the message text and sender ID.
Multi-event unified listener
{
"resource": "trigger",
"operation": "receive-event",
"verifyToken": "{{ $env.IG_WEBHOOK_VERIFY_TOKEN }}",
"appSecretVaultKey": "meta_app_secret",
"eventTypes": ["comments", "messages", "mentions", "feed"]
}
// Branch on eventType:
// "comments" → comment moderation workflow
// "messages" → DM responder workflow
// "mentions" → mention engagement workflow
// "feed" → cross-platform syndication workflow
A single webhook trigger node that fans out to four different downstream workflows using a Switch node branching on {{ $output.instagram.eventType }}. Reduces the number of webhook subscriptions needed to one endpoint per account.