Web Developer& AI Consultant
markus stoeger
ContactDE
← Back to claude-meta-mcp
Setup guide · ~20 min

Set up your Meta App and System User token

Step by step: from an empty Meta Developer dashboard to a working System User token in the connector .env. About 20 minutes if you already have a Business Portfolio, ~40 minutes otherwise.

This is the official companion guide for the claude-meta-mcp v0.4 connector. System User tokens are preferred over regular user access tokens because they do not expire and are designed for server-to-server use. UI labels below assume your Meta account is set to English.

Overview
  1. Create a Meta Developer App and pick the five use cases
  2. Attach the app to a Meta Business Portfolio
  3. Create a System User in the Business Portfolio
  4. Assign assets (app, ad account, page, catalog) to the System User
  5. Generate the System User token
  6. Validate the token and drop it into .env
Step 01

Create a Meta Developer App

  1. Sign in at developers.facebook.com/apps and click »Create app«.
  2. Pick a name (e.g. claude-meta-mcp) and a contact email. Skip the optional Business Portfolio assignment for now — we attach it in step 3.
  3. After creation you land on the App dashboard.
Step 02

Pick the five Use Cases

Meta replaced the old »select permissions individually« flow with a Use Case wizard in 2024–2025.

In the App dashboard go to »Use cases → Add use case« and add these five cases — together they cover the full v0.4 toolset (47 tools):

  • »Measure ad performance with Marketing API« → provides ads_read, business_management, read_insights
  • »Create and manage ads with Marketing API« → provides ads_management, business_management
  • »Manage everything on your Page« → provides pages_show_list, pages_manage_posts, pages_manage_metadata, pages_read_engagement
  • »Manage messaging and content on Instagram« → provides instagram_basic, instagram_content_publish, instagram_manage_comments, instagram_manage_insights
  • »Manage products with Catalog API« → provides catalog_management (for Product Catalog inspection: businesses, catalogs, feeds, products, diagnostics)
Noteinstagram_manage_messages (DM access) is intentionally NOT enabled. Even for own accounts Meta requires App Review for that scope. The connector currently exposes no DM tool.

After selecting these use cases, the App's »Permissions and Features« tab will show every permission as »Standard Access (granted by default)« — for own assets you don't need to submit anything for App Review.

Step 03

Attach the app to a Business Portfolio

This is the step most people miss — without it, System User tokens fail with »could not be decrypted«.

  1. In the Meta Developer dashboard go to »App settings → Basic«.
  2. Scroll to »Business Portfolio« at the bottom.
  3. Pick your existing portfolio, or »Create new« if you don't have one yet.
  4. Click »Save changes« at the bottom.

Verify in business.facebook.com → Settings → Accounts → Apps: your app should now appear in the list.

Step 04

Create a System User

  1. In business.facebook.com → Settings (bottom left) → Users → System Users.
  2. »Add« → name e.g. claude-mcp → role: Admin (System Admin).
  3. Click the new System User to open its details panel.
Step 05

Assign assets to the System User

The System User needs explicit access to the App, the Ad Account, the Page, and (for v0.4 catalog tools) the Catalog.

In the System User detail panel, click »Add Assets« for each:

  • Tab Apps → check claude-meta-mcp → role »Develop app« or »Manage app«.
  • Tab Ad Accounts → check your ad account, permissions: »Manage campaigns« + »View performance«.
  • Tab Pages → check the Page, permissions: »Create content« + »Manage Page posts« + »View Page insights«.
  • Tab Catalogs → check your Product Catalog (permission: »View catalog«). Only required if you want to use the v0.4 Product Catalog tools.
NoteIf your Ad Account, Page or Catalog is not listed, first add it under Settings → Accounts → Ad Accounts / Pages / Catalogs → Add. You must be a Page admin.

The Instagram Business account is reachable automatically via its connected Facebook Page — no separate assignment needed.

Step 06

Generate the System User token

  1. In the System User detail panel, tab »Tokens« → »Generate New Token«.
  2. »Select App«: pick claude-meta-mcp — this binds the token to your App's signing keys.
  3. »Token expiration«: choose »Never« — that's the whole point of a System User token.
  4. Permissions: check all the scopes for the v0.4 toolset (full list below).
  5. »Generate Token« → the token appears once. Click the Copy button — don't select-and-copy the displayed string, Meta obfuscates it visually until you click the button.

Full scope list for v0.4 (47 tools):

  • ads_read, ads_management, business_management
  • pages_show_list, pages_manage_posts, pages_manage_metadata, pages_read_engagement
  • instagram_basic, instagram_content_publish, instagram_manage_comments, instagram_manage_insights
  • catalog_management (for the v0.4 Product Catalog tools — catalogs, feeds, products, diagnostics)
  • optional: read_insights
NoteYou can omit scopes — the matching tools then return 403 at runtime. Example: only ads_read + business_management = read-only Ads, no CRUD, no Instagram, no Pages writes.
Step 07

Validate the token

Before pasting the token into .env, sanity-check it with Meta's own debugger.

On developers.facebook.com/tools/debug/accesstoken/ paste the token. You should see:

  • Type: System User
  • App ID: your app's ID
  • Expires: Never
  • Scopes: the 12+ selected permissions
WarningIf you see »The access token could not be decrypted«: usually the App is not assigned to the Business Portfolio (step 3), the wrong App was picked in the Generate dropdown (step 6.2), or the App Secret was reset after System User creation — in that case just regenerate the token.
Step 08

Drop the token into .env and reload

# am Server, NICHT durch Drittanbieter:
nano /var/www/connector/.env
# Zeile setzen:
META_ACCESS_TOKEN=EAA...

# Connector neuladen:
pm2 reload claude-meta-mcp --update-env
# oder
systemctl restart claude-meta-mcp

Quick confirmation:

TOKEN=$(grep ^META_ACCESS_TOKEN /var/www/connector/.env | cut -d= -f2-)

curl -s "https://graph.facebook.com/v22.0/me?access_token=$TOKEN" | jq
# → {"name":"<dein system user name>","id":"..."}

curl -s "https://graph.facebook.com/v22.0/me/adaccounts?fields=id,name&access_token=$TOKEN" | jq
# → Liste der zugewiesenen Ad Accounts

curl -s "https://graph.facebook.com/v22.0/me/accounts?fields=id,name&access_token=$TOKEN" | jq
# → Liste der zugewiesenen Pages

Token rotation

System User tokens with »Never« do not expire automatically. You should still rotate them periodically:

  1. business.facebook.com → System Users → Tokens → »Revoke Token«
  2. Generate a new token with the same scopes (step 6).
  3. Update .env on the server.
  4. pm2 reload claude-meta-mcp --update-env
NoteIf you suspect a token leak, revoke first, then mint a new one — revoking takes effect immediately.

Standard Access vs Advanced Access

By default your app is in Development Mode with Standard Access:

  • ✅ works with your own ad accounts and Pages
  • ✅ works with up to ~5 explicitly-added test users
  • ❌ does NOT work for arbitrary public users

That's exactly right for a self-hosted single-tenant deployment. Multi-tenant operation (offering the connector publicly) would require Advanced Access with business verification, App Review, and a data-deletion callback — planned for a future connector version.

Troubleshooting
(#100) Tried accessing nonexisting field

Your App does not have the requested permission. Check step 2 (use cases attached) and step 5 (System User asset assignment).

Invalid OAuth access token signature

Token is from a different app or different Business Portfolio. Regenerate via step 6 with the correct App selected.

(#10) Application does not have permission for this action

The asset (Page or Ad Account) is not assigned to the System User, or the role does not include this action. Re-check step 5.

Error validating access token: Session has expired

Only happens with user tokens, not System User tokens. You accidentally generated a user token (e.g. via Graph API Explorer) — redo step 6 from the System User tab.

The access token could not be decrypted

See the note in step 7 — almost always a Business Portfolio / App-assignment issue.

What's next?

With the token in .env and a reload, the connector is ready. Next sensible step: connect the connector in Claude and do a dry-run with get_ad_account — check balance, currency and account status before creating your first test campaigns with status=PAUSED.

← Back to claude-meta-mcp