Social Media Platform API Rules in 2026: Rate Limits, Media Specs, and Publishing Quirks
A developer reference for every major social media API: access requirements, rate limits, media format rules, text limits, authentication, and the gotchas that break integrations. Updated for 2026.
The rules nobody writes down in one place
Every social media API has its own access requirements, rate limits, media specs, text constraints, and authentication quirks. The documentation is spread across developer portals that are designed for their own platform, not for developers building across all of them.
If you are building a social media API integration — whether a single-platform tool or a cross-platform publishing system — you need to know the rules for every platform you touch. This page is that reference.
We maintain this as a living document. When platforms change their APIs, we update the numbers here. If something is out of date, the platform changed it recently.
Instagram publishes through the Meta Graph API. Only Business and Creator accounts can publish via API — personal accounts have no programmatic publishing access.
Access requirements
- Register a Facebook Developer app and pass Meta App Review
- Required permissions:
instagram_business_basic,instagram_business_content_publish - App Review requires a screencast demo for each permission scope
- Review typically takes 5+ business days per submission; rejections require re-submission
Rate limits
- 200 API calls per hour per Instagram account (reduced from 5,000 in a 2025 change — a 96% decrease that broke many apps without warning)
- 100 API-published posts per 24 hours (rolling window, not calendar day)
Media specs
| Type | Formats | Max size | Dimensions / aspect ratios |
|---|---|---|---|
| Image | JPEG only, sRGB | 8 MB | 1:1 (1080x1080), 4:5 (1080x1350), 1.91:1 (1080x566) |
| Video (feed) | MP4, MOV, H.264/HEVC | 300 MB | Same as image; 3s–15min; 23–60 FPS |
| Video (Reels/Stories) | MP4, MOV | 100 MB | 9:16 (1080x1920); 3–60s |
| Carousel | Up to 10 items | Per-item limits apply | Mix of images and videos |
Audio: AAC, 48 kHz max, mono or stereo, 128 kbps.
Text limits
- Caption: 2,200 characters (includes spaces, URLs, hashtags)
- Maximum 30 hashtags per caption
- First 125 characters show before the “See More” cutoff
Authentication
- OAuth 2.0
- Short-lived tokens: ~1 hour
- Long-lived tokens: 60 days (exchange via
/refresh_access_tokenbefore expiry)
Gotchas
- Publishing is a two-step process: create a media container, then publish it in a separate call. Videos add a processing wait between these steps.
- The 2025 rate limit reduction from 5,000 to 200 calls/hour was unannounced and broke production apps.
- The
moovatom must be at the front of video files or uploads fail silently. - PNG images are rejected — JPEG only.
- The Instagram publishing guide covers the full container model in detail.
Or skip all this and use Postproxy.
TikTok
TikTok uses the Content Posting API at open.tiktokapis.com. It is the most restrictive platform for API publishing access.
Access requirements
- Register at
developers.tiktok.comand create an app - Must pass a TikTok audit to post public content — all content from unaudited apps is forced to private visibility
- The audit evaluates your use case, UX compliance, and content policy adherence
- Apps must be intended for a wide audience — internal/private tools are rejected
- No official timeline; the audit process can be slow and opaque
Rate limits
- 6 requests per minute per user token for initiating posts
- 30 requests per minute per user token for checking post status
- ~15 posts per day per creator (shared across all API clients using Direct Post — not per-app)
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Video | MP4, H.264 | Chunked: 5–64 MB per chunk, final chunk up to 128 MB | Upload URL valid for 1 hour after issuance |
TikTok is video-only. There is no image-only posting via API.
Text limits
- Caption/description: ~2,200 characters (follows TikTok’s standard post limits)
Authentication
- OAuth 2.0
- Access token: 24 hours (86,400 seconds)
- Refresh token: 365 days (31,536,000 seconds)
Gotchas
- The daily post cap (~15) is shared across all API clients for a given creator. If the creator posts manually and through two apps, all three share the same limit.
- Before every post, you must query the creator’s info to get available privacy levels. TikTok requires showing the creator’s username and avatar in your UI — enforced during audit.
- No image posting. No carousel support. Video only.
- The TikTok API publishing guide covers the audit process and posting flow.
Or skip all this and use Postproxy.
X (Twitter)
X uses the v2 API with tiered access. Legacy v1.1 media upload endpoints were deprecated for self-serve tiers on March 31, 2025.
Access requirements
- Sign up at
developer.x.com - Three tiers: Free (limited), Basic ($200/month), Pro ($5,000/month), Enterprise (custom)
- Free tier is available immediately with minimal review
Rate limits
| Tier | Posts | Media uploads (24h) | Monthly cost |
|---|---|---|---|
| Free | 500/month (~17/day) | 85 total (34 initialize, 170 append, 34 finalize) | $0 |
| Basic | Higher (varies by endpoint) | Higher | $200 |
| Pro | Significantly higher | Full access | $5,000 |
All limits measured in 24-hour rolling windows.
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Image | JPEG, PNG, GIF | 5 MB (mobile), 15 MB (web) | Recommended 1600x900 (16:9) |
| Video (standard) | MP4, MOV, H.264 + AAC | 512 MB | Up to 140 seconds |
| Video (Premium Plus) | MP4, MOV | 16 GB | Up to 4 hours at 1080p (web/iOS); Android limited to 10 min |
Text limits
- Standard accounts: 280 characters
- Premium subscribers: up to 25,000 characters
- Media attachments do not count against the character limit
Authentication
- OAuth 2.0 (recommended) and OAuth 1.0a (legacy)
- Requires
media.writescope and user context for publishing - Tokens do not expire automatically — valid until revoked
Gotchas
- The free tier’s 500 posts/month cap is total, not per-day. Burst publishing can exhaust it quickly.
- Media upload uses a separate endpoint (
upload.twitter.com) with a three-step flow: INIT, APPEND chunks, FINALIZE. This is not a simple multipart upload. - The v1.1 deprecation in 2025 broke many existing integrations.
- The X publishing guide covers the chunked upload protocol.
Or skip all this and use Postproxy.
LinkedIn’s publishing API is gated behind the LinkedIn Partner Program. Individual developers cannot simply create an app and start publishing.
Access requirements
- Apply through the LinkedIn Developer Portal — requires a Company Page
- Must join the LinkedIn Partner Program
- Review process is notoriously slow and opaque — weeks to months
- Uses the Posts API (replacement for deprecated
ugcPostsAPI)
Rate limits
- Rate limits are not publicly documented. They vary by endpoint and are only visible in the Developer Portal Analytics tab after making at least one request.
- Generally considered restrictive compared to other platforms.
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Image | JPG, PNG | Not specified (thumbnails under 2 MB) | Recommended 1200x627 (1.91:1) or 1200x1200 (1:1) |
| Video | MP4, MOV, ASF, MKV, MPEG, WMV, VP8/VP9, H.264 | 5 GB (personal), 200 MB (Company Page/ads) | 3s–10min; ≤30 FPS; Audio: AAC/MPEG4, <64 kHz |
Aspect ratios: 16:9 or 4:5 recommended.
Text limits
- Post body: 3,000 characters
Authentication
- OAuth 2.0 (3-legged flow)
- Access token: 60 days
- Refresh token: 365 days (TTL does not reset on use — it stays fixed from initial grant)
Gotchas
- The Partner Program requirement is the biggest barrier. Most indie developers and small teams cannot get approved.
- If your application is rejected, you must create a new app entirely — you cannot re-apply with the same one.
- Rate limits are hidden by design. You discover them empirically.
- API versioning is aggressive — Marketing API versions are sunset rapidly.
- Media uploads use an asset registration flow: register the asset, get an upload URL, upload with ETag tracking, then reference the asset in the post.
- The LinkedIn publishing guide covers the full posting and media flow.
Or skip all this and use Postproxy.
Facebook Pages use the Meta Graph API (currently v22.0+). Personal profiles cannot be published to via API — this is a deliberate Meta policy.
Access requirements
- Register a Facebook Developer app
- Request
pages_manage_postsandpages_read_engagementpermissions - App Review required — submit a video walkthrough demonstrating each permission’s usage
- Review takes approximately 5 business days; rejections for vague permission justifications are common
- App must be in Live Mode (not Development Mode) for production use
Rate limits
- 25 posts per Page per 24 hours (rolling window)
- General API rate limits are calculated per-app based on number of users
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Image | JPEG | 8 MB | Recommended 1200x630 for link shares |
| Video | MP4 recommended | Varies | 24–60 FPS; recommended 1080x1920; min 540x960 |
Text limits
- Post body: 63,206 characters (technical maximum)
- Truncated after ~125 characters with “See More”
Authentication
- OAuth 2.0
- Short-lived tokens: ~1 hour
- Long-lived user tokens: ~60 days
- Page access tokens can be made non-expiring through a multi-step token exchange flow (short-lived → long-lived user token → page token)
Gotchas
- The non-expiring page token flow is not clearly documented. Many developers miss it and deal with constant token expiration.
- Permission scopes changed from
publish_pagestopages_manage_posts— old tutorials are misleading. - API versions deprecate every ~2 years. Keeping up with breaking changes is ongoing maintenance.
- Video uploads use a resumable upload protocol through
rupload.facebook.com. - The Facebook publishing guide covers the full flow.
Or skip all this and use Postproxy.
YouTube
YouTube uses the Data API v3 with a quota-based system that makes high-volume publishing expensive in quota units.
Access requirements
- Enable YouTube Data API v3 in Google Cloud Console
- Create OAuth 2.0 credentials
- For production use with significant volume, a Quota and Compliance Audit may be required
Rate limits
- 10,000 quota units per day (default per project)
- A single video upload costs 1,600 units — meaning only ~6 video uploads per day on default quota
- Read operations cost ~1 unit; search costs 100 units
- Failed calls still consume quota
- Higher quota requires audit approval (can take weeks)
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Video | MP4, MOV, AVI, WMV, FLV, WebM, 3GP, MPEG | 256 GB or 12 hours (whichever is less) | Recommended: MP4 + H.264 + AAC |
Text limits
- Video title: 100 characters
- Video description: 5,000 characters
- Tags: 500 characters total
Authentication
- OAuth 2.0 (required for uploads — API keys alone cannot upload)
- Access token: 1 hour
- Refresh token: long-lived in production (no fixed expiry)
- Warning: Apps in “Testing” mode get 7-day refresh token expiry. Only verified production apps get long-lived tokens.
Gotchas
- The 10,000 unit daily quota is deceptively small. Six video uploads consume 9,600 units, leaving only 400 for everything else.
- All API requests — including failed ones — cost at least one quota point.
- Google’s OAuth verification process can take months for sensitive scopes.
- Unverified apps are limited to 100 users.
- The YouTube publishing guide covers the resumable upload protocol.
Or skip all this and use Postproxy.
Threads
Threads uses the Meta Developer Platform. It requires an Instagram Professional account (Business or Creator) linked to Threads.
Access requirements
- Same Meta Developer Portal as Instagram/Facebook
- Must pass Meta App Review for production use
- Requires an Instagram Professional account connected to Threads
Rate limits
- 250 API-published posts per 24 hours per Threads profile (rolling window)
- Check your limit via
GET me/threads_publishing_limit
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Image | Standard web formats | Up to 10 images per post (carousel) | 9:16 (1080x1920) or 4:5 (1080x1350) recommended |
| Video | MP4 only | — | Max 5 minutes; max 1920x1080 |
| Mixed | Up to 20 media items (images + videos combined) per post | — | — |
Text limits
- Post text: 500 characters
- Text attachments: up to 10,000 characters (separate from main post text)
- Only 1 hashtag per post allowed
Authentication
- OAuth 2.0 (Meta ecosystem)
- Token lifetimes follow Meta’s standard: short-lived (~1 hour), long-lived (~60 days)
Gotchas
- The 1 hashtag per post limit is unique among all platforms and catches every developer off guard.
- The 500-character limit means you cannot cross-post Instagram captions (2,200 chars) without truncation.
- Text attachments (10,000 chars) are a separate concept from post text (500 chars) — they are not interchangeable.
- The API is relatively new and features are still being added. Expect changes.
- The Threads publishing guide covers the posting flow.
Or skip all this and use Postproxy.
Pinterest uses the API v5 with a two-tier access system.
Access requirements
- Register at
developers.pinterest.comand create an app - Requires a Pinterest Business account
- Two tiers: Trial (daily rate limits, limited) and Standard (per-minute limits, requires Pinterest approval)
- Standard access approval timeline is not guaranteed
Rate limits
- Trial access: Daily rate limits (specific per-endpoint numbers not publicly documented)
- Standard access: Per-minute limits (e.g., 300 calls/min for ads analytics, 5,000 calls/min for conversions)
- Pin creation rate limits exist but are not prominently documented
- Rate limits can change without notice — no changelog or advance warning
Media specs
| Type | Formats | Max size | Details |
|---|---|---|---|
| Image | PNG, JPEG, WebP | 32 MB (standard/carousel), 20 MB (ads) | Recommended 1000x1500 (2:3) |
| Video | MP4, MOV, M4V, H.264 | 2 GB | 4s–15min; 2:3, 9:16, or 1:1 aspect ratios |
Text limits
- Pin title: 100 characters
- Pin description: 500 characters (may be truncated on device)
Authentication
- OAuth 2.0
- Access token: 30 days
- Refresh token: 365 days
Gotchas
- Trial access has strict daily limits that you discover only when you hit them.
- The jump from Trial to Standard requires Pinterest approval with no guaranteed timeline.
- Pin descriptions may be truncated differently across devices — do not rely on the full 500 characters being visible.
- The Pinterest publishing guide covers the API v5 flow.
Or skip all this and use Postproxy.
The comparison table
| Platform | Free API? | Posts/day limit | Text limit | Auth | Token lifetime | App review? |
|---|---|---|---|---|---|---|
| Yes | 100 | 2,200 chars | OAuth 2.0 | 60 days | Yes (Meta) | |
| TikTok | Yes | ~15 (shared) | ~2,200 chars | OAuth 2.0 | 24h access / 365d refresh | Yes (audit) |
| X | Free/$200/$5K tiers | 500/month (free) | 280 chars (25K premium) | OAuth 2.0 | No expiry | Minimal |
| Yes (if approved) | Undisclosed | 3,000 chars | OAuth 2.0 | 60d access / 365d refresh | Yes (Partner Program) | |
| Yes | 25/page | 63,206 chars | OAuth 2.0 | Non-expiring (page tokens) | Yes (Meta) | |
| YouTube | Yes | ~6 (quota) | 5,000 chars (description) | OAuth 2.0 | 1h access / indefinite refresh | Audit for higher quota |
| Threads | Yes | 250 | 500 chars (+10K attachment) | OAuth 2.0 | 60 days | Yes (Meta) |
| Yes | Undisclosed | 500 chars (description) | OAuth 2.0 | 30d access / 365d refresh | Yes (for Standard) |
What this adds up to
If you are integrating with one platform, the rules above are manageable. Study the documentation, implement the auth flow, handle the edge cases, and maintain it.
If you are integrating with multiple platforms — which is the reality for any cross-posting or multi-brand publishing system — you are maintaining eight different authentication schemes, eight different rate limiting strategies, eight different media upload protocols, and eight different sets of content constraints. Any of which can change without notice.
That is not a feature. That is infrastructure.
Postproxy abstracts all of it into one API. One authentication scheme. One media upload path. One set of rate limits. One response format. The platform-specific complexity described on this page is real, but it does not have to be your problem.
Connect your accounts and start publishing through the Postproxy API.