Remix meta-hub into your own social media machine
Every post on this blog now ships itself to Instagram, Threads, and Facebook. The thing doing the shipping isn't a scheduling SaaS or a CI workflow. It's a vibe — three files, owner-only, with its own token vault, its own rotation schedule, and a three-platform publish state machine. And because it's a vibe, you don't have to build your own: remix it, paste your tokens, and the machine is yours.
What meta-hub is
meta-hub is a
standard Vibes DIY app: App.jsx (a dashboard), access.js (owner-only,
everywhere), and a backend.js whose
scheduled handler wakes every minute and does all the work:
- The vault holds one token document per platform — Instagram, Threads,
Facebook Page. Instagram and Threads tokens expire every 60 days, so the
handler refreshes any token older than seven days; the write-back that makes
scheduled rotation awkward elsewhere is just a database
puthere, because the store and the rotator are the same app. - The publisher walks
publish-requestdocuments through Meta's container-then-publish flow — carousels, single images, or (on Threads) text-only posts with clickable links. Progress persists on the request doc, so a slow media container just resumes on the next tick, and the permalink lands on the doc when it's done. - The dashboard shows token health and post statuses, and takes new tokens and new publish requests. That's the whole operating surface.
The trick worth stealing: tokens as data
Scheduled token refresh keeps hitting the same snag: the refresher needs somewhere to write the new token. If that somewhere is a secrets manager, you need a second credential with write access — a credential guarding a credential. meta-hub's move (issue #3101 has the full design record) is to store tokens as database records in the app itself, so rotation is an ordinary write through the app's own access rules.
Get posts like this in your inbox
One email field. Real updates. No algorithm required.
The security posture is stricter than it sounds. The vault's channel is
granted to no one, so no normal client read path can fetch token values
back — the paste form writes them, server-side scheduled code reads them,
and the dashboard shows only a redacted status projection (platform, account
name, expiry, health — never the token). In normal operation, raw credentials
live in Meta's dashboard where you minted them and in the server-side vault,
nowhere else.
The scars are included
Getting three Meta surfaces working taught us things their docs don't say, and every lesson is encoded in the backend, so a remix inherits the fixes (PR #3181 has the war story):
- A carousel container that references children created one second earlier
fails with a detail-free
ERROR—FINISHEDdoesn't mean referenceable. Parents are only assembled from children a full tick old. - Threads' authenticated status reads come back without CORS headers, so they're unreachable from a CORS-parity egress proxy. Threads skips polling entirely and publishes with bounded retry instead.
- Paste the wrong flavor of Facebook credential and posting fails with a
cryptic
#200. meta-hub now resolves any page-capable token through/me/accountsto the Page's own long-lived token, so the wrong flavor becomes the right one automatically.
Make it yours
- Remix it. Open jchris/meta-hub and remix. You get the code; you do not get our data — a remix copies source, never databases, so your vault starts empty and our tokens stay home.
- Do the Meta paperwork once (~30–60 minutes, all in Meta's dashboards): create a Business-type app at developers.facebook.com, add the Instagram and Threads use cases, convert your accounts to professional if they aren't, and generate a long-lived token for each platform from the use case's token generator. For a Facebook Page, generate a system-user token in Business Manager, configured with no scheduled expiration — nothing to rotate, though like any credential it can still be revoked. For this first-party setup — your own app on your own accounts — Standard Access is enough; App Review only enters the picture if you start serving accounts you don't own.
- Paste tokens into your dashboard. Within a minute the server verifies each one and shows the account it belongs to. From then on, Instagram and Threads tokens rotate themselves.
- Post. Fill the publish form — or write a
publish-requestdoc with the CLI — with your image URLs and caption. The permalink comes back on the doc a minute or three later. The RUNBOOK has the exact doc shape and the per-platform quirks.
One honest note on the word "secure": your tokens are protected from other users, and no normal client read path returns them — but they live server-side in a hosted app, which means trusting the platform the way you'd trust any SaaS that holds API keys. That's the normal bar for hosted automation; we're just saying it out loud.
Your posts, your pipeline
Remix meta-hub, paste two tokens, and your blog ships itself to three platforms.
Remix meta-hub →