Vibes DIY
Vibes DIY / Blog
From the build log

Remix meta-hub into your own social media machine

Every post on this blog now ships itself to Instagram, Threads, and Facebook. The thing doing the shipping isn't a scheduling SaaS or a CI workflow. It's a vibe — three files, owner-only, with its own token vault, its own rotation schedule, and a three-platform publish state machine. And because it's a vibe, you don't have to build your own: remix it, paste your tokens, and the machine is yours.

Title card: 'remix → post ↺' over a duotone photo of 1950s telephone switchboard operators.
Switchboard operators patched one message through to many lines. So does this app.

What meta-hub is

meta-hub is a standard Vibes DIY app: App.jsx (a dashboard), access.js (owner-only, everywhere), and a backend.js whose scheduled handler wakes every minute and does all the work:

  • The vault holds one token document per platform — Instagram, Threads, Facebook Page. Instagram and Threads tokens expire every 60 days, so the handler refreshes any token older than seven days; the write-back that makes scheduled rotation awkward elsewhere is just a database put here, because the store and the rotator are the same app.
  • The publisher walks publish-request documents through Meta's container-then-publish flow — carousels, single images, or (on Threads) text-only posts with clickable links. Progress persists on the request doc, so a slow media container just resumes on the next tick, and the permalink lands on the doc when it's done.
  • The dashboard shows token health and post statuses, and takes new tokens and new publish requests. That's the whole operating surface.

The trick worth stealing: tokens as data

Scheduled token refresh keeps hitting the same snag: the refresher needs somewhere to write the new token. If that somewhere is a secrets manager, you need a second credential with write access — a credential guarding a credential. meta-hub's move (issue #3101 has the full design record) is to store tokens as database records in the app itself, so rotation is an ordinary write through the app's own access rules.

Get posts like this in your inbox

One email field. Real updates. No algorithm required.

The security posture is stricter than it sounds. The vault's channel is granted to no one, so no normal client read path can fetch token values back — the paste form writes them, server-side scheduled code reads them, and the dashboard shows only a redacted status projection (platform, account name, expiry, health — never the token). In normal operation, raw credentials live in Meta's dashboard where you minted them and in the server-side vault, nowhere else.

The scars are included

Getting three Meta surfaces working taught us things their docs don't say, and every lesson is encoded in the backend, so a remix inherits the fixes (PR #3181 has the war story):

  • A carousel container that references children created one second earlier fails with a detail-free ERRORFINISHED doesn't mean referenceable. Parents are only assembled from children a full tick old.
  • Threads' authenticated status reads come back without CORS headers, so they're unreachable from a CORS-parity egress proxy. Threads skips polling entirely and publishes with bounded retry instead.
  • Paste the wrong flavor of Facebook credential and posting fails with a cryptic #200. meta-hub now resolves any page-capable token through /me/accounts to the Page's own long-lived token, so the wrong flavor becomes the right one automatically.

Make it yours

  1. Remix it. Open jchris/meta-hub and remix. You get the code; you do not get our data — a remix copies source, never databases, so your vault starts empty and our tokens stay home.
  2. Do the Meta paperwork once (~30–60 minutes, all in Meta's dashboards): create a Business-type app at developers.facebook.com, add the Instagram and Threads use cases, convert your accounts to professional if they aren't, and generate a long-lived token for each platform from the use case's token generator. For a Facebook Page, generate a system-user token in Business Manager, configured with no scheduled expiration — nothing to rotate, though like any credential it can still be revoked. For this first-party setup — your own app on your own accounts — Standard Access is enough; App Review only enters the picture if you start serving accounts you don't own.
  3. Paste tokens into your dashboard. Within a minute the server verifies each one and shows the account it belongs to. From then on, Instagram and Threads tokens rotate themselves.
  4. Post. Fill the publish form — or write a publish-request doc with the CLI — with your image URLs and caption. The permalink comes back on the doc a minute or three later. The RUNBOOK has the exact doc shape and the per-platform quirks.

One honest note on the word "secure": your tokens are protected from other users, and no normal client read path returns them — but they live server-side in a hosted app, which means trusting the platform the way you'd trust any SaaS that holds API keys. That's the normal bar for hosted automation; we're just saying it out loud.

Your posts, your pipeline

Remix meta-hub, paste two tokens, and your blog ships itself to three platforms.

Remix meta-hub →

Enjoyed this? Get the next post by email

One email field. Real updates. No algorithm required.

Prefer a feed? RSS · Atom