Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Instagram API: send direct messages from a web browser
/*
Instagram API: send direct messages from a web browser
For browser setup, see script instagram-api_direct_messages_backup.js
Instagram web version sessionid cookie does not allow sending messages so we need to log in manually
Signature should match signed_body data (using HMAC-SHA256 with private key) but wrong signature or key may work also.
You don't need to get the private key yourself since people already got it but here are interesting links explaining how to get it:
https://eliasbagley.github.io/reverseengineering/2016/12/02/reverse-engineering-instagram-api.html
http://www.will3942.com/reverse-engineering-instagram
Signature and deviceID can be generated with this Node.js script instagram_signature.node.js (based on instagram-private-api fork used by IG:dm)
Replace XXX with appropriate values (CSRF token can be random or found in cookies of the web console on Instagram login page and IDs can be generated with Linux uuid command)
Theses values should then be added to the script used in the web browser
var crypto = require('crypto');
var username = 'XXX';
var password = 'XXX';
var deviceID = crypto.createHash('md5').update(username).digest('hex').slice(0, 16);
console.log(deviceID);
var key = '937463b5272b5d60e9d20f0f8d7d192193dd95095a3ad43725d494300a5ea5fc'; // key to be used with user agent starting with "Instagram 85.0.0.21.100"
var data = '{"_csrftoken":"XXX","device_id":"android-' + deviceID + '","username":"' + username + '","password":"' + password + '","guid":"XXX","phone_id":"XXX","login_attempt_count":0}';
var signature = crypto.createHmac('sha256', key).update(data).digest('hex');
console.log(signature);
*/
/* Usage */
//InstagramDMlogin(); // enter your credentials on the login page without logging in and call this function only once (page needs to refreshed after login)
//InstagramDMsend("username", "Hi!");
function InstagramDMlogin()
{
var form = document.getElementsByTagName("form")[0];
var username = form.getElementsByTagName("input")[0].value;
var password = form.getElementsByTagName("input")[1].value;
// replace XXX with the values used when generating signature
var formData = new FormData();
formData.append("signed_body", 'XXX.{"_csrftoken":"XXX","device_id":"android-XXX","username":"' + username+ '","password":"' + password + '","guid":"XXX","phone_id":"XXX","login_attempt_count":0}');
formData.append("ig_sig_key_version", "4");
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://i.instagram.com/api/v1/accounts/login/");
xhr.withCredentials = true;
xhr.send(formData);
}
async function InstagramDMsend(username, message)
{
var userid = await getUserId(username);
var timestamp = Date.now();
var formData = new FormData();
formData.append("csrftoken", "XXX"); // replace XXX with the values used when generating signature
formData.append("device_id", "android-XXX"); // replace XXX with the values used when generating signature
formData.append("_uuid", timestamp); // can be generated with Linux uuid command (don't need to be renewed, timestamp can be used instead)
formData.append("recipient_users", "[[" + userid + "]]"); // user id can be found on https://www.instagram.com/username/?__a=1
formData.append("client_context", timestamp); // can be generated with Linux uuid command (timestamp can be used instead)
formData.append("text", message); // message to customize
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://i.instagram.com/api/v1/direct_v2/threads/broadcast/text/");
xhr.withCredentials = true;
xhr.send(formData);
}
function getUserId(username)
{
return new Promise(function(resolve) {
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.instagram.com/" + username + "/?__a=1");
xhr.withCredentials = true;
xhr.addEventListener("load", function() {
var response = JSON.parse(xhr.responseText);
resolve(response.graphql.user.id);
});
xhr.send();
});
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.