Connect Meta Ads with a long-lived access token

What this is: a 5-minute walkthrough for generating a long-lived Meta Marketing API token via Graph Explorer (the fastest path) or a System User in Business Manager (the never-expire path), then pasting it into Admaxxer to start tracking spend, ROAS, CAPI match rate, and ad-level cohort LTV. No Meta App Review required — the paste-token flow uses your own user or system-user token.

Why a paste-token (no App Review wait)

Skip Meta App Review. Standard Marketing API apps require Meta App Review (4–8 weeks). A long-lived user token or System User token doesn't.
You stay in control. The token is bound to your Meta user (or your Business Manager System User). Admaxxer holds it AES-256-GCM encrypted at rest and never logs the raw value.
Ship today. Most teams paste in a token and have campaign data in Admaxxer within 60 seconds. CAPI match rate and ad-level cohort LTV unlock automatically.

Step 1 — Open Meta Graph Explorer (~30 sec)

Open developers.facebook.com/tools/explorer and sign in with the Meta account that has access to the ad accounts you want to track.
In the top-right dropdown, pick Meta App: User Token. If you don't have an app yet, click Create App > Other > Business — name it Admaxxer Token and you're done; this app exists only as a token issuer.

Step 2 — Add the three required scopes (~30 sec)

Click the Permissions dropdown and enable exactly these three scopes:

Scope	Why we ask
`ads_read`	Read campaigns, ad sets, ads, insights (spend, ROAS, CTR, CPM).
`ads_management`	Pause and scale campaigns from the Maxxer AI agent (only on confirmed actions).
`business_management`	Resolve which Business Manager owns each ad account — required for multi-account rollups.

Don't enable extras. Adding scopes you don't need is a security smell — Admaxxer only requests the three above.

Step 3 — Generate a short-lived user access token (~15 sec)

Click Generate Access Token. Meta will pop a consent screen — approve the three scopes for the app you created.
Graph Explorer drops you back with a token in the Access Token field. This token is short-lived (~1 hour). Don't paste it into Admaxxer yet — we'll extend it next.

Step 4 — Extend it to a 60-day long-lived token (~30 sec)

In Graph Explorer, click the small info icon (ⓘ) next to the token field, then click Open in Access Token Tool.
On the Access Token Tool page, click Extend Access Token at the bottom. Re-enter your password if prompted.
Meta returns a new token with a 60-day expiry. Copy this one — this is the one you paste into Admaxxer.

You can verify the expiry by pasting the token back into the Access Token Debugger; the row labelled Expires should read about 60 days out.

Step 5 — Optional: System User token (never expires)

If you don't want to rotate every 60 days, generate a System User token in Business Manager instead:

Open business.facebook.com/settings/system-users.
Click Add, name it Admaxxer System User, and pick Admin role.
Open the new system user, click Add Assets, and grant it access to the ad accounts you want to track (with Manage Campaigns permission).
Click Generate New Token, pick the same Meta App from Step 1, enable the three scopes from Step 2, and click Generate.
Copy the token. This one never expires unless the system user is deleted or scopes are revoked.

Step 6 — Paste credentials into Admaxxer (~15 sec)

Back in Admaxxer, open Integrations › Meta Ads.
Paste the long-lived token (from Step 4) or the system-user token (from Step 5) into the Access Token field.
Paste your Ad Account ID (format: act_1234567890 — find it in Business Manager > Ad Accounts).
Click Connect. Admaxxer validates the token, hits the Marketing API, and shows you a green "Connected" badge plus your last-30-days spend within seconds.

Token lifetimes at a glance

Token type	Lifetime	Best for
User access token (short-lived)	~1 hour	Don't paste this — extend first.
User access token (long-lived)	60 days	Solo users; Admaxxer warns 7 days before expiry with a one-click rotation flow.
System User token	Never expires	Agencies, multi-account rollups, hands-off operation.

Security — how Admaxxer stores your token

AES-256-GCM at rest. The token is encrypted with a workspace-bound key before it ever touches our database.
Never logged in plaintext. Application logs only show a 6-character prefix for debugging.
One-click revoke. Disconnect from Admaxxer at any time, or revoke the token in Meta > Settings > Business Integrations.
You can rotate any time. Generate a new token in Graph Explorer or Business Manager, paste it in, and the old one stops working immediately.

FAQ

Q: Do I need a Meta Business Verification?

No. The paste-token flow uses your own Meta credentials, so Meta's Business Verification (required for App Review apps) does not apply. You only need to be an admin or have Manage Campaigns on the ad account.

Q: My token expired. Now what?

Admaxxer surfaces a banner when a token has <7 days left and emails the workspace owner. Click Reconnect, regenerate via Graph Explorer (Steps 1–4), and paste the new token in — sync resumes within a minute.

Q: Can I track multiple ad accounts with one token?

Yes — one user or system-user token can authenticate against every ad account you have access to. Admaxxer creates a separate connection per ad account ID so you can track parent + child accounts independently.

Meta Ads integration overview · Connect Google Ads (refresh token) · Connect TikTok Ads (paste-token) · Documentation home