stackpicks.dev
Sign in
All posts
API guide· 6 min·

Instagram Private Reply API — Why Your Auto-DM Fails for Non-Followers (2026 Fix)

Most IG auto-DM tools silently fail for users who don't follow you. The fix is one API endpoint switch: Private Reply API addresses by comment_id, not user_id, and grants a 7-day window from the comment.

Quick answer

IG's standard messaging API only works inside a 24-hour conversation window — so DMs to non-followers fail with "This message is sent outside of allowed window." The Private Reply API fixes this: address the recipient by comment_id (not user_id), and Meta grants a 7-day messaging window from the comment timestamp. POST /{comment-id}/replies for the public reply; POST /{ig-business-id}/messages with recipient: { comment_id } for the DM.

If you've built an Instagram auto-DM bot in 2026 and your sends silently fail for users who don't follow you, you've hit the most common bug in the space. Meta returns:

{
  "error": {
    "message": "This message is sent outside of allowed window.",
    "type": "OAuthException",
    "code": 10
  }
}

The fix is one endpoint switch. It's been live since Meta opened the path for "comment → DM" automation in 2024, and the documentation is buried two clicks deep.

The standard messaging endpoint is the wrong endpoint

Most tutorials show this:

POST /me/messages?access_token=...
{
  "recipient": { "id": "<recipient_igsid>" },
  "message":   { "text": "Hey, here's your link!" },
  "messaging_type": "RESPONSE"
}

This works only inside an active 24-hour conversation window. Non-followers who comment on your post haven't started a conversation with you, so Meta blocks the DM.

Private Reply: address by comment_id, not user_id

POST /<your-ig-business-id>/messages?access_token=...
{
  "recipient": { "comment_id": "<the_comment_id>" },
  "message":   { "text": "Hey, here's your link!" }
}

Two changes from the broken version:

  1. `recipient` keys on `comment_id`, not `id` — Meta uses the comment as the messaging anchor.
  2. No `messaging_type` — Meta infers MESSAGE_TAG from the recipient shape.

This grants a 7-day window from the comment timestamp. Works for followers and non-followers identically.

The webhook side

To get comment_id in the first place, subscribe to the comments field on your IG business account:

curl -X POST "https://graph.facebook.com/v22.0/<ig-business-id>/subscribed_apps?\
  subscribed_fields=comments&access_token=<token>"

Then in your webhook handler:

const v = entry.changes[0].value;
const commentId  = v.id;          // ← the Private Reply key
const fromIgsid  = v.from.id;     // ← for follower checks, not DMs
const text       = v.text;        // match against your keyword rules

The public comment reply

While you're DM'ing, also post a public reply on the same comment. This serves two purposes: viewers see the bot worked, and others are more likely to copy the behavior.

POST /<comment-id>/replies?access_token=...
{ "message": "Sent ✓ check your DMs @user" }

Public replies are not subject to either messaging window — they're regular comment activity governed by spam policy.

What StackPicks AutoDM does differently

When we hit this bug ourselves on June 5, 2026 — demo_fluenco getting "outside allowed window" while piyush.jangir (who follows us) succeeded — we ripped out the standard messaging path and rebuilt the engine around Private Reply. The result: 100% delivery rate to non-followers within the 7-day window, regardless of follower count.

Our follow-up agent then uses standard messaging for AI-generated replies that arrive after the recipient has DM'd back — at that point the 24-hour conversation window is open, and standard messaging is the right tool.

Quick checklist before shipping

  1. Switch your DM send to recipient: { comment_id }.
  2. Remove messaging_type from the payload.
  3. Verify your webhook captures value.id as comment_id.
  4. Test with a non-follower account and watch your dm_log.

That's the whole fix.

— Piyush

Frequently asked

Why do auto-DMs fail for non-followers on Instagram?
Most automation tools use the standard messaging endpoint (POST /me/messages with recipient: { id: <user_id> }). That endpoint requires an active 24-hour conversation window — meaning the recipient must have messaged you in the last 24 hours. Non-followers and cold recipients usually haven't, so Meta returns "This message is sent outside of allowed window." and silently drops the DM.
What is the Instagram Private Reply API?
Private Reply is a separate Messenger Platform endpoint that lets a business DM a commenter directly, addressed by the comment's ID rather than the user's ID. The payload uses recipient: { comment_id: "<id>" } instead of { id: "<user_id>" }. Meta grants a 7-day messaging window from the comment timestamp regardless of follow status. This is the supported path for "comment → DM" automation in 2026.
How long is the Private Reply window?
Seven days from the moment the comment was created. If a user commented today at 14:00 IST, you have until exactly 14:00 IST seven days from now to send them a Private Reply DM. After that, the conversation falls back to the 24-hour standard messaging window — meaning you can only DM them if they message you first.
Do I still need to handle the 24-hour window?
Yes — but only after the first reply. The Private Reply API opens a 7-day window from the comment. Once you and the recipient have a live conversation going, follow-up messages within 24 hours of their last reply work via the standard messaging endpoint. Tools like StackPicks AutoDM use Private Reply for the first message of any comment-triggered conversation, then switch to standard messaging for any AI follow-up replies that arrive in-window.
Will Meta ban my account for using the Private Reply API?
No — Private Reply is the official, documented path. Meta's anti-abuse system flags high-volume cold-DM patterns from standard messaging, but Private Replies tied to real comments on your own posts are explicitly allowed. The safeguards that matter are content (no spam triggers like "free", "guaranteed"), volume (under 200 DMs/hour for established accounts, lower for warming accounts), and link hygiene (single button-card link, not multi-URL text bodies).
How do I implement Private Reply API for a comment trigger?
Subscribe to the "comments" webhook field on your IG business account. When a comment matching your keyword arrives, capture comment_id from the webhook value. For the public reply, POST /{comment-id}/replies with { message }. For the DM, POST /{ig-business-id}/messages with { recipient: { comment_id }, message: { text } }. Do NOT include messaging_type — Meta infers it from the recipient shape. Test with a non-follower account to confirm Private Reply path is firing.

Sources

Stop debugging Meta's API. Start sending.

StackPicks AutoDM ships with Private Reply, follower-aware bodies, account warming, and an AI follow-up agent built in. 90-second setup. No browser bots.

Connect Instagram

More from the blog

Instagram Auto-DM Compliance 2026 — What Meta Actually Allows
Meta removed 10 million Instagram accounts in 2026 alone. Here's what gets your account banned, what's still allowed, and the 4-rule checklist every safe auto-DM tool follows.
Meta Ads MCP Setup — Connect Meta Ads to Claude or ChatGPT (2026 Guide)
Meta's official Ads MCP server (mcp.facebook.com/ads) launched in April 2026 — one URL, sign-in with your Meta account, 29 tools across reporting, campaigns, catalog, and diagnostics. No developer token. No code. 90 seconds.
Instagram Private Reply API — Why Your Auto-DM Fails for Non-Followers (2026 Fix) — StackPicks