What this is: a 2-minute walkthrough for creating a never-expiring Meta Business Manager System User token and pasting it into Admaxxer to start tracking spend, results, ROAS, CAPI match rate, and ad-level cohort LTV. No Meta App Review required — the paste-token flow uses your own System User token, which Admaxxer validates functionally (it confirms the token can read your data) and accepts even though it was minted by your own Business app.
act_1234567890.This is the path we recommend for every store. The token never expires, so you set it up once and your dashboards keep syncing.
Admaxxer Sync, role Admin), or select an existing one. A System User is a non-human "service account" inside your Business Manager — its token isn't tied to anyone's personal login, so it keeps working even if a teammate leaves or changes their password.ads_read). For the optional Maxxer agent actions, grant Manage Campaigns (ads_management) too — recommended.This step is what most people miss. A token can be valid yet still fail to read an ad account if the System User has no role on it. Assigning the asset here is what unblocks the sync.
| Scope | Why we ask |
|---|---|
ads_read | Read campaigns, ad sets, ads, and insights (spend, results, ROAS). |
ads_management | Pause and scale campaigns from the Maxxer AI agent — only on confirmed actions. |
business_management | Resolve which Business Manager owns each ad account — required for multi-account rollups. |
Why this is the recommended path: a System User token never expires, survives password changes, and isn't tied to one person's session — so your dashboards never go dark because someone logged out.
act_XXXXXXXXX format — for example act_1234567890. You'll find it in Business Settings › Ad Accounts.What success looks like: within a few seconds the card flips to a green Connected badge. Admaxxer auto-detects your account currency (e.g. USD), shows your last-30-days spend, and starts a daily sync of campaigns, ad sets, ads, spend, and results. Your ROAS and attribution tiles populate as the first sync completes.
Treat the token like a password. Admaxxer encrypts it at rest and never logs the raw value, but anyone with it can read your ad data.
Just want to kick the tyres? Meta's Graph API Explorer hands you a token in two clicks. It's the fastest way to see your data flowing — but it's short-lived (about an hour), so the connection will stop syncing once it expires.
ads_read, ads_management, business_management pre-filled.For a permanent connection, use the System User token above. The Explorer token is perfect for a quick test, but it will expire within the hour — switch to the never-expiring System User token before you rely on the data.
| Token type | Lifetime | Best for |
|---|---|---|
| Graph API Explorer (user) token | ~1 hour | A quick test only — expires within the hour. |
| System User token (recommended) | Never expires | Every store. Set it once, hands-off, multi-account rollups. |
Admaxxer uses the token to read your campaign spend and results every day, then joins that with your Google, organic, and store revenue to compute accurate ROAS, blended MER, CAC, and cross-channel attribution. If you granted ads_management, the Maxxer AI agent can also pause campaigns or adjust budgets — but only on changes you explicitly confirm. The raw token is encrypted at rest, never written to logs, and never shared with anyone.
Pasted the wrong token? Rotating the ad account owner? Removing Admaxxer for compliance? Disconnect is a 30-second self-serve flow from inside Admaxxer — no support email required.
act_1234567890) into the confirm input — this typed-confirm guards against accidental clicks on ad accounts that may carry $100k+/mo in spend.DELETE /{user_id}/permissions. The card flips back to Not connected.What stays: historical insights and sync history, CAPI match-rate history, Sources & Attribution backfills for the prior 90 days, and the audit trail (account ID, scopes, app).
What gets deleted: the encrypted access token, any pending syncs, and the Meta-side grant (best-effort).
Re-connecting is one click — no data lost for past windows. Sources & Attribution, MER, ROAS, CAPI match-rate, and cohort LTV for every prior date stay intact. Live sync resumes the moment you paste a new System User token. For belt-and-suspenders revocation outside Admaxxer, also remove the grant at facebook.com/settings › Business Integrations.
Q: I got "Token has expired". What now?
Generate a fresh token. The simplest permanent fix is a System User token with Expiration set to Never (Steps 1-3 above) — it won't expire, so you'll never see this again. If you used a short-lived Graph API Explorer token instead, that's expected: those last about an hour.
Q: I got "Token can't access that ad account". What now?
Two things to check. First, confirm the Ad account ID is exactly right and in act_XXXXXXXXX format. Second — and this is the usual cause — make sure the System User actually has a role on that ad account: open Business Settings > Ad Accounts, select the account, and confirm your System User is assigned with View Performance (or Manage Campaigns). A token can be valid yet still be unable to read an account it was never granted.
Q: I pasted a token from Graph Explorer and it stopped working after an hour.
That token was short-lived — Graph API Explorer tokens are only meant for a quick test and expire in about an hour. For a permanent connection, generate a System User token and set its expiration to Never (Steps 1-3 above), then paste that one instead.
Q: Is my token safe?
Yes. It's encrypted at rest, never written to logs, and never returned by any API after you save it. It's used only to read your ad data — and, if you grant ads_management, to make the campaign changes you explicitly confirm. Nothing else.
Q: Does Admaxxer accept my own Business Manager's System User token?
Yes. Admaxxer validates tokens functionally — it confirms the token can actually read your data — rather than requiring it to be minted by a specific app. So a System User token from your own Business Manager is fully supported, and it's the recommended setup.
Q: Do I need a Meta Business Verification?
No. The paste-token flow uses your own Meta credentials, so Meta's Business Verification (required for App Review apps) does not apply. You only need to be an admin or have Manage Campaigns on the ad account.
Q: Can I track multiple ad accounts with one token?
Yes — one System User token can authenticate against every ad account it's been assigned to. Admaxxer creates a separate connection per ad account ID so you can track parent + child accounts independently.
Q: How do I disconnect Meta Ads?
Go to Integrations, find the Meta Ads card, click the three-dot menu in the top-right, choose Disconnect, type your ad account ID (e.g. act_1234567890) to confirm, then click Disconnect. The encrypted token is destroyed immediately, pending syncs are cancelled, and Admaxxer revokes the Meta-side grant best-effort. For belt-and-suspenders revocation outside Admaxxer, also remove the grant at facebook.com/settings > Business Integrations.
Q: What happens to my historical Meta data when I disconnect?
Past windows are preserved. Cached insights, your sync history, CAPI match-rate history, and Sources & Attribution backfills remain queryable. Only the encrypted token and any pending syncs are purged. Re-connecting the same ad account restores live sync — no manual backfill required for gaps under 90 days.
Q: I pasted a token for the wrong ad account. How do I fix it?
Open Integrations, hover the Meta Ads card, click the three-dot menu, choose Disconnect, type the ad account ID to confirm, then click Disconnect. Then paste a new token tied to the correct ad account. The flow is ~30 seconds and self-serve.
Meta Ads integration overview · How Sources & Attribution works · Connect Google Ads (refresh token) · Connect TikTok Ads (paste-token) · Documentation home