Skip to content

Instantly share code, notes, and snippets.

@baptx
Last active September 15, 2024 00:39
Show Gist options
  • Save baptx/99f3cb6373d4a8cf869c25f0549b0c5c to your computer and use it in GitHub Desktop.
Save baptx/99f3cb6373d4a8cf869c25f0549b0c5c to your computer and use it in GitHub Desktop.
Instagram API: send direct messages from a web browser
/*
Instagram API: send direct messages from a web browser
Since April 2020, Instagram has a web version to send and read direct messages so my Instagram scripts are not longer needed and I would not recommend using them unless you really need it, to avoid being banned
(never happened to me with Instagram but WhatsApp is owned by Facebook also and they did it to users registering from an unofficial app like yowsup: https://github.com/tgalal/yowsup/commit/88b8ad9581fa22dac330ee3a05fec4e485dfa634#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5)
For browser setup, see script instagram-api_direct_messages_backup.js
Instagram web version sessionid cookie does not allow sending messages so we need to log in manually
Signature should match signed_body data (using HMAC-SHA256 with private key) but wrong signature or key may work also.
You don't need to get the private key yourself since people already got it but here are interesting links explaining how to get it:
https://eliasbagley.github.io/reverseengineering/2016/12/02/reverse-engineering-instagram-api.html
http://www.will3942.com/reverse-engineering-instagram
Signature and deviceID can be generated with this Node.js script instagram_signature.node.js (based on instagram-private-api fork used by IG:dm)
Replace XXX with appropriate values (CSRF token can be random or found in cookies of the web console on Instagram login page and IDs can be generated with Linux uuid command)
Theses values should then be added to the script used in the web browser
var crypto = require('crypto');
var username = 'XXX';
var password = 'XXX';
var deviceID = crypto.createHash('md5').update(username).digest('hex').slice(0, 16);
console.log(deviceID);
var key = '937463b5272b5d60e9d20f0f8d7d192193dd95095a3ad43725d494300a5ea5fc'; // key to be used with user agent starting with "Instagram 85.0.0.21.100"
var data = '{"_csrftoken":"XXX","device_id":"android-' + deviceID + '","username":"' + username + '","password":"' + password + '","guid":"XXX","phone_id":"XXX","login_attempt_count":0}';
var signature = crypto.createHmac('sha256', key).update(data).digest('hex');
console.log(signature);
*/
/* Usage */
//InstagramDMlogin(); // enter your credentials on the login page without logging in and call this function only once (page needs to refreshed after login)
//InstagramDMsend("username", "Hi!");
function InstagramDMlogin()
{
var form = document.getElementsByTagName("form")[0];
var username = form.getElementsByTagName("input")[0].value;
var password = form.getElementsByTagName("input")[1].value;
// replace XXX with the values used when generating signature
var formData = new FormData();
formData.append("signed_body", 'XXX.{"_csrftoken":"XXX","device_id":"android-XXX","username":"' + username+ '","password":"' + password + '","guid":"XXX","phone_id":"XXX","login_attempt_count":0}');
formData.append("ig_sig_key_version", "4");
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://i.instagram.com/api/v1/accounts/login/");
xhr.withCredentials = true;
xhr.send(formData);
}
async function InstagramDMsend(username, message)
{
var userid = await getUserId(username);
var timestamp = Date.now();
var formData = new FormData();
formData.append("csrftoken", "XXX"); // replace XXX with the values used when generating signature
formData.append("device_id", "android-XXX"); // replace XXX with the values used when generating signature
formData.append("_uuid", timestamp); // can be generated with Linux uuid command (don't need to be renewed, timestamp can be used instead)
formData.append("recipient_users", "[[" + userid + "]]"); // user id can be found on https://www.instagram.com/username/?__a=1
formData.append("client_context", timestamp); // can be generated with Linux uuid command (timestamp can be used instead)
formData.append("text", message); // message to customize
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://i.instagram.com/api/v1/direct_v2/threads/broadcast/text/");
xhr.withCredentials = true;
xhr.send(formData);
}
function getUserId(username)
{
return new Promise(function(resolve) {
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.instagram.com/" + username + "/?__a=1");
xhr.withCredentials = true;
xhr.addEventListener("load", function() {
var response = JSON.parse(xhr.responseText);
resolve(response.graphql.user.id);
});
xhr.send();
});
}
@baptx
Copy link
Author

baptx commented Sep 6, 2021

@taher75 @ahmed103 I don't need to use this script anymore because Instagram now has a web version. So I don't maintain it anymore but feel free to try to fix it if you can. There is maybe nothing to fix and it is just Instagram blocking unofficial scripts.

For information, I mentioned this recently as a comment at the beginning of my script:

Since April 2020, Instagram has a web version to send and read direct messages so my Instagram scripts are not longer needed and I would not recommend using them unless you really need it, to avoid being banned (never happened to me with Instagram but WhatsApp is owned by Facebook also and they did it to users registering from an unofficial app like yowsup: tgalal/yowsup@88b8ad9#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5)

@avalanche1
Copy link

Looks like they've closed the support for for this api endpoint and instead switched to using MQTT protocol to send DMs

@CandyBoxLIB
Copy link

Is there a wokable way to send direct message to instagram user on 2023?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment