Instagram API: send direct messages from a web browser

instagram-api_send_message.js

/*
Instagram API: send direct messages from a web browser

Since April 2020, Instagram has a web version to send and read direct messages so my Instagram scripts are not longer needed and I would not recommend using them unless you really need it, to avoid being banned
(never happened to me with Instagram but WhatsApp is owned by Facebook also and they did it to users registering from an unofficial app like yowsup: https://github.com/tgalal/yowsup/commit/88b8ad9581fa22dac330ee3a05fec4e485dfa634#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5)

For browser setup, see script instagram-api_direct_messages_backup.js
Instagram web version sessionid cookie does not allow sending messages so we need to log in manually

Signature should match signed_body data (using HMAC-SHA256 with private key) but wrong signature or key may work also.
You don't need to get the private key yourself since people already got it but here are interesting links explaining how to get it:
https://eliasbagley.github.io/reverseengineering/2016/12/02/reverse-engineering-instagram-api.html
http://www.will3942.com/reverse-engineering-instagram

Signature and deviceID can be generated with this Node.js script instagram_signature.node.js (based on instagram-private-api fork used by IG:dm)
Replace XXX with appropriate values (CSRF token can be random or found in cookies of the web console on Instagram login page and IDs can be generated with Linux uuid command)
Theses values should then be added to the script used in the web browser

var crypto = require('crypto');

var username = 'XXX';
var password = 'XXX';

var deviceID = crypto.createHash('md5').update(username).digest('hex').slice(0, 16);
console.log(deviceID);

var key = '937463b5272b5d60e9d20f0f8d7d192193dd95095a3ad43725d494300a5ea5fc'; // key to be used with user agent starting with "Instagram 85.0.0.21.100"
var data = '{"_csrftoken":"XXX","device_id":"android-' + deviceID + '","username":"' + username + '","password":"' + password + '","guid":"XXX","phone_id":"XXX","login_attempt_count":0}';
var signature = crypto.createHmac('sha256', key).update(data).digest('hex');
console.log(signature);
*/

/* Usage */
//InstagramDMlogin(); // enter your credentials on the login page without logging in and call this function only once (page needs to refreshed after login)
//InstagramDMsend("username", "Hi!");

function InstagramDMlogin()
{
	var form = document.getElementsByTagName("form")[0];
	var username = form.getElementsByTagName("input")[0].value;
	var password = form.getElementsByTagName("input")[1].value;
	
	// replace XXX with the values used when generating signature
	var formData = new FormData();
	formData.append("signed_body", 'XXX.{"_csrftoken":"XXX","device_id":"android-XXX","username":"' + username+ '","password":"' + password + '","guid":"XXX","phone_id":"XXX","login_attempt_count":0}');
	formData.append("ig_sig_key_version", "4");
	
	var xhr = new XMLHttpRequest();
	xhr.open("POST", "https://i.instagram.com/api/v1/accounts/login/");
	xhr.withCredentials = true;
	xhr.send(formData);
}

async function InstagramDMsend(username, message)
{
	var userid = await getUserId(username);
	var timestamp = Date.now();
	var formData = new FormData();
	
	formData.append("csrftoken", "XXX"); // replace XXX with the values used when generating signature
	formData.append("device_id", "android-XXX"); // replace XXX with the values used when generating signature
	formData.append("_uuid", timestamp); // can be generated with Linux uuid command (don't need to be renewed, timestamp can be used instead)
	formData.append("recipient_users", "[[" + userid + "]]"); // user id can be found on https://www.instagram.com/username/?__a=1
	formData.append("client_context", timestamp); // can be generated with Linux uuid command (timestamp can be used instead)
	formData.append("text", message); // message to customize
	
	var xhr = new XMLHttpRequest();
	xhr.open("POST", "https://i.instagram.com/api/v1/direct_v2/threads/broadcast/text/");
	xhr.withCredentials = true;
	xhr.send(formData);
}

function getUserId(username)
{
	return new Promise(function(resolve) {
		var xhr = new XMLHttpRequest();
		xhr.open("GET", "https://www.instagram.com/" + username + "/?__a=1");
		xhr.withCredentials = true;
		xhr.addEventListener("load", function() {
			var response = JSON.parse(xhr.responseText);
			resolve(response.graphql.user.id);
		});
		xhr.send();
	});
}

i tried this code but give 403 error this code need update by instagram changes

403 error bro not working anywore 👎

@taher75 @ahmed103 I don't need to use this script anymore because Instagram now has a web version. So I don't maintain it anymore but feel free to try to fix it if you can. There is maybe nothing to fix and it is just Instagram blocking unofficial scripts.

For information, I mentioned this recently as a comment at the beginning of my script:

Since April 2020, Instagram has a web version to send and read direct messages so my Instagram scripts are not longer needed and I would not recommend using them unless you really need it, to avoid being banned (never happened to me with Instagram but WhatsApp is owned by Facebook also and they did it to users registering from an unofficial app like yowsup: tgalal/yowsup@88b8ad9#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5)

Looks like they've closed the support for for this api endpoint and instead switched to using MQTT protocol to send DMs

Is there a wokable way to send direct message to instagram user on 2023?