2025 Growth Unified Hits Major Growth Milestones with 6.5x usage & 4.5x revenue growth
Unified.to
All articles

How to Get Your Meta Ads API Key

May 26, 2026

Meta Ads doesn't issue a permanent API key. You authenticate with an access token generated from a Meta Business app—and the catch is that the easy token you'll first get expires in about an hour. Getting a token that survives in production means understanding Meta's three token types and clearing its App Review and Business Verification gates.

This guide covers creating the app, the token lifecycle that trips everyone up (short-lived → long-lived → System User), and the access levels that decide whether you can touch real ad accounts.

Key takeaways

  • There's no permanent Meta Ads "API key." You generate an access token from a Meta Business app with the Marketing API added.
  • The token you get from the Graph API Explorer is short-lived (~1–2 hours). You must exchange it server-side for a long-lived token (~60 days), and for always-on automation, use a System User token, which is built for long-running backend use (renewable, not tied to a human session).
  • Permissions start at Standard Access (your own assets only). Production use on other accounts needs Advanced Access, which requires App Review and Business Verification.
  • The core permissions are ads_management, ads_read, and business_management.

Before you start

You need a Meta Business Manager account with admin access, an active ad account linked to it, and a Meta for Developers account to create the app. Budget time for App Review and Business Verification if you'll access other people's ad accounts—that's a multi-day to multi-week process, not an instant toggle.

Step 1: Create a Meta Business app

  1. Log in to the Meta for Developers portal and open My Apps → Create App.
  2. Choose the Business app type (the right fit for advertising integrations).
  3. Complete setup and confirm your app is linked to your Business Manager—your Business account name should appear in the app settings.

Step 2: Add the Marketing API and set permissions

  1. In your app dashboard, click Add Product and select Marketing API. A Marketing API section appears in your sidebar.
  2. The permissions that matter for ads are ads_management (create/edit campaigns), ads_read (pull performance data), and business_management (manage business assets).
  3. Note the access level. Standard Access lets your app work with assets you own or admin—fine for development and internal use. Advanced Access is required to operate on other accounts in production, and that's gated (Step 4).

Step 3: Generate an access token — and understand the lifecycle

This is the Meta-specific gotcha, and it's where most integrations break.

  1. Short-lived token. Open Tools → Graph API Explorer, select your app, click Generate Access Token, and grant the permissions from Step 2. You get a User access token—but it lasts only about 1–2 hours. Great for a quick test, useless for production.
  2. Long-lived token. Exchange the short-lived token server-side for one that lasts ~60 days. Call the OAuth endpoint with your app secret:
    GET https://graph.facebook.com/{version}/oauth/access_token
  ?grant_type=fb_exchange_token
  &client_id={app-id}
  &client_secret={app-secret}
  &fb_exchange_token={short-lived-token}

    Make this call from your server—never client-side—because it includes your app secret. A long-lived token lasts around 60 days, but it can still be invalidated early (password changes, permission changes, app changes), so treat it as renewable, not permanent.
  3. System User token (for automation). For server-based integrations that run 24/7, create a System User in Business Settings → Users → System Users, assign it to your app, grant it access to the relevant ad accounts, then generate its token. System User tokens are designed for long-running backend automation and aren't tied to a human session, which makes them the right choice for long-running scripts and scheduled syncs—treat them as renewable rather than guaranteed permanent, since they can still be revoked or rotated.

The failure pattern to avoid: grabbing the short-lived token from the Explorer, building everything, and watching it die an hour later in production. Decide upfront which token type your use case needs—long-lived for periodic jobs, System User for continuous automation.

Step 4: App Review and Business Verification (for production)

In development mode, your permissions work for ad accounts where you're an admin. To use the API in production—on behalf of other clients or accounts—you need Advanced Access, which requires:

  • App Review: Meta reviews your app and intended use; you typically submit screencasts, a privacy policy, and details of how you handle data.
  • Business Verification: mandatory if you need Advanced Access to ads_management or want to create ad accounts programmatically. It usually takes a few business days.

This is Meta's equivalent of a vetting gate—plan for it as a real timeline item before you promise customers a launch date.

A current deprecation to know about

Meta is phasing out legacy Advantage Shopping and App Campaign APIs in the v25 / early-2026 timeframe; integrations should migrate to the newer Advantage+ campaign structures. Meta supports each API version for at least two years from release, but deprecated features eventually stop working—so pin your API version explicitly, build version checks into your integration, and confirm current timing against Meta's deprecation notes (their dates sometimes shift).

Keeping your credentials secure

  • App secret and tokens are server-side only—never in client code, screenshots, or a public repo. Store them in environment variables or a secrets manager.
  • Match the token type to the job: System User tokens for always-on automation, long-lived user tokens for periodic tasks. Track expiry and refresh before tokens lapse.
  • Request only the permissions you need—unnecessary scopes complicate App Review later.

Frequently asked questions

What's my Meta Ads API key? There's no permanent key. You generate an access token from a Meta Business app with the Marketing API added. For production automation, a System User token (built for long-running backend use) is the closest equivalent.

Why does my token expire after an hour? The token from the Graph API Explorer is short-lived (~1–2 hours)—when it lapses you'll see error code 190 (invalid/expired token). Exchange it server-side for a long-lived token (~60 days), or use a System User token for long-running backend access.

What permissions do I need? ads_management, ads_read, and business_management cover most ad workflows.

Why can't I access my client's ad account? Standard Access only works on assets you own or admin. Operating on other accounts in production requires Advanced Access, which means App Review and Business Verification. If you see (#274) The ad account is not enabled for usage in Ads API, the user or System User is missing the right role on that account, or (in development mode) the account isn't added under your app's advertising-accounts settings.

What's a System User token? A token tied to a System User in Business Manager, built for server-based automation that runs without human input. It isn't tied to a human login session, so it's the right fit for always-on jobs—but treat it as renewable, since it can still be revoked or rotated.

Connecting Meta Ads alongside your other ad platforms

A token lifecycle with three types and a 60-day refresh window, plus App Review and Business Verification—that's the setup for one ad platform. Each has its own: Google Ads spreads four credentials across two consoles with a tiered developer token; LinkedIn requires a vetted app and 3-legged OAuth. And every platform models campaigns and reporting differently.

Unified.to collapses that into one integration. Unified provides Meta Ads through its normalized Advertising API—working with ad accounts (organizations), campaigns, groups, ads, creatives, targeting, and performance reports as consistent objects—alongside Google Ads, LinkedIn, TikTok Ads, Amazon Advertising, and Microsoft Advertising, across one connection model. You pull cross-platform performance from a single endpoint (GET /ads/{connection_id}/report) with normalized KPI selectors, and read/write campaign controls without per-platform branching. Unified manages each platform's authorization and token lifecycle—including Meta's token exchange and refresh—so that 60-day-refresh logic isn't something your team maintains across a dozen platforms.

It's the same pattern that lets teams like Humi ship integrations in days rather than building each one in-house: integrate once per category, and get every platform in it.

Start your 30-day free trial

Book a demo

All articles