When a tool offers to moderate the comments on your Facebook and Instagram ads, it has to ask Meta for permission first. Those permissions are not arbitrary — each one maps to a specific capability Meta exposes through the official Graph API, and each is reviewed before it can touch a real account. This explainer walks through the permissions an ad-comment moderator actually needs, what each one does in plain language, and why an honest tool never reaches for scraping or browser automation instead.
Why permissions matter for moderation
Meta does not let an app read or change anything by default. To do real work — list your Pages, read a comment, hide it, reply to it, or look up which ad a comment came from — an app must request the matching permission, and you grant it explicitly during connection. Meta reviews each requested permission in App Review before approving live access.
This is a good thing. A scope-by-scope grant means you can see exactly what a tool can and cannot do, and a tool that asks for too much — or asks for nothing and scrapes instead — is a red flag. ROAS Shield requests a deliberately narrow set: enough to moderate ad comments and map them to campaigns, and nothing more.
The Facebook Page permissions
Four Page-level permissions cover reading and acting on Facebook ad comments:
pages_show_list— lets the tool see the list of Pages you manage, so you can choose which Page to connect. Without it, there is nothing to connect to.pages_read_engagement— lets the tool read the comments and engagement on your Page's posts and ads. This is the read side of moderation: seeing what was said before deciding what to do.pages_manage_engagement— lets the tool hide, unhide, and reply to comments on your behalf. This is the action that actually removes spam from view or answers a buyer.pages_manage_metadata— lets the tool subscribe to the webhooks that notify it the instant a new comment arrives, so moderation can run in real time instead of on a slow poll.
Notice what is not here: there is no permission to create, edit, or pay for ads. Moderation reads and acts on comments — it never touches your campaigns, budgets, or creative.
The Instagram permissions
Instagram comments need their own scopes, because Instagram is a separate surface from Facebook Pages:
instagram_basic— lets the tool read the basic profile and media of the connected Instagram professional account, so it knows which account it is working with.instagram_manage_comments— lets the tool read, hide, and reply to comments on Instagram posts and ads. This is the Instagram equivalent ofpages_manage_engagement.instagram_manage_insights— lets the tool read engagement insights for the account, which helps attribute comments to the right media and report on activity honestly.
For more on the Instagram side specifically, see how to moderate Instagram ad comments.
Ad-context permissions
The remaining two permissions are what make an ad-comment moderator different from a generic Page tool. They let it map a comment back to the campaign, ad set, and ad it came from:
business_management— lets the tool work within your Business Manager, so it can see the assets (Pages, ad accounts, Instagram accounts) that belong together under one business.ads_read— lets the tool read your ad structure — campaigns, ad sets, and ads — so it can attach each comment to the specific creative that earned it. This is read-only: it can see your ads to map comments, but it cannot change them.
This mapping is what lets you ask "which campaign attracts the most spam?" or "which creative draws the most buyers?". When a comment cannot be confidently mapped to a known ad — some formats make this genuinely hard — an honest tool flags it for manual review rather than guessing. See ad comment moderation for how mapping and moderation fit together.
Why scraping is not an option
Some tools skip permissions entirely and scrape the web interface or drive a logged-in browser. That is never acceptable, for three reasons:
- It violates Meta's terms. Scraping and unofficial automation against Meta's surfaces breach the Platform Terms and can get your account or the tool's app banned. It also disqualifies a tool from App Review outright.
- It is fragile. A scraper breaks the moment Meta changes a layout, and it cannot subscribe to webhooks, so it is always behind.
- It is opaque. With no granted scopes, you have no way to see or limit what the tool is doing inside your account.
ROAS Shield only ever uses the official Graph API with the reviewed permissions above. We deliberately do not request ads_management (which would let an app change your campaigns) or messaging-send permissions beyond Meta's allowed one-time private replies — both add review friction and neither is needed to moderate comments.
Pricing
Comment moderation across Facebook and Instagram is included on every paid plan, from £19/month (Starter, 10,000 comments/month) up to £199/month (Scale, 500,000 comments/month). See the pricing page for the full grid, then create an account to connect a Page and grant exactly these permissions — nothing more.