LarasLaras

Meta platform review / Reviewer kit

Platform disclosure and reviewer kit.

Everything a Meta reviewer needs in one place. The permissions Laras requests, why each is required, how to test the full flow with a test account, and the policy references. Laras uses official Meta APIs, only after business-owner authorization, to receive customer messages and send business replies.

For partners landing here: Laras is the operating layer underneath your AI business. When you connect your client Meta accounts on your behalf, the same authorization model and the same policy posture below applies. Your brand on top. Client data stays scoped.

Operated by
PT LARAS TEKNOLOGI INTERNATIONAL
Indonesia
Contact
help@larasx.com
Last updated
June 16, 2026
Review status
Preparing submission
01

Permissions requested

Each scope is requested only after the owner connects their account and grants consent through Meta's authorization flow. No scope is used for purposes outside the conversation surface it was granted for. Laras is not a general-purpose AI assistant. It does not offer open-domain question answering, companionship, or arbitrary content generation to end customers. The AI is an ancillary drafting aid: it drafts business replies scoped to each inbound customer conversation, grounded only in the connected business's own catalog, prices, and policies, and sends them inside the platform's customer-service window after the owner's configured review rules.

whatsapp_business_messaging

Send and receive messages on behalf of the connected WhatsApp Business number.

Why needed

Laras receives an inbound WhatsApp message via webhook, drafts a reply, and sends the business reply through the official Cloud API inside the 24-hour customer-service window. Without this scope Laras cannot answer customers.

whatsapp_business_management

Read the connected WABA + phone-number metadata and manage message templates.

Why needed

Displays the connected number in settings, routes inbound webhooks to the correct workspace, and reads delivery status. Template management is limited to approved, owner-authored templates.

instagram_business_basic

Read the connected Instagram professional account profile + media.

Why needed

Identifies the connected account and shows it in settings so the owner can confirm the right account is linked.

instagram_business_manage_messages

Receive Instagram DMs and send replies on behalf of the connected account.

Why needed

Laras receives a customer DM via webhook, drafts a reply, and sends the owner-reviewed or auto-approved reply through the official Graph API.

instagram_business_manage_comments

Receive inbound comments on the connected account and post replies the owner has reviewed or auto-approved.

Why needed

Customers frequently reach the business through public comments on posts and reels in addition to DMs. Laras receives the comment event via webhook, drafts a reply scoped to that comment thread, and either holds it for owner approval or posts the auto-approved reply through the official Graph API. Treated as a parallel surface to DM, not as a posting channel for unrelated content.

02

How the integration works

  1. 01

    Connect

    The business owner opens Settings, Integrations and connects their account. Instagram uses Meta’s OAuth authorization. WhatsApp pairs a phone_number_id from the Meta WhatsApp Manager. Tokens are stored in encrypted token storage.

  2. 02

    Receive

    A customer messages the connected account. Meta delivers the event to Laras at the verified webhook (HMAC SHA-256 signature checked before processing). Laras routes it to the owning workspace.

  3. 03

    Draft

    Laras drafts a reply scoped to that conversation using only the workspace’s own business context. A safety classifier inspects the draft for brand alignment and policy compliance before anything leaves.

  4. 04

    Send

    If the owner enabled auto-send and the draft passes the classifier, Laras sends automatically inside the customer-service window. Otherwise the draft is held in the approval queue for manual review.

  5. 05

    Arrives

    The reply is delivered through the official Meta API. Laras records the provider message ID and delivery status in the evidence chain.

  6. 06

    Disconnect

    The owner can disconnect anytime. Tokens and account or number references are cleared immediately. Meta deauthorize and data-deletion callbacks clear the same data.

03

Test the full flow

  1. 01Sign in at /login using the test workspace credentials provided with the submission.
  2. 02Open Settings, Integrations. For Instagram, click Connect and complete Meta’s OAuth with the test IG professional account.
  3. 03For WhatsApp, open the WhatsApp Business tile and click "Connect WhatsApp via Meta" to launch Embedded Signup.
  4. 04Complete the Meta popup: pick the test business, select or create the WABA, choose the test phone number, and approve the requested scopes.
  5. 05On popup success Laras receives the short-lived authorization code plus session_info (waba_id, phone_number_id) and POSTs them to /api/wa/embedded-signup-callback. The server exchanges the code for a long-lived token and stores it with AES-256-GCM at rest. No token is logged or echoed to the browser.
  6. 06Confirm the connected number appears on the WhatsApp tile and that inbound webhooks at /api/webhooks/wa route to the test workspace using its phone_number_id (per-tenant routing is keyed off the Meta-issued ID, not a shared inbox).
  7. 07From an external account, message the connected Instagram account or WhatsApp number.
  8. 08Observe the inbound message appear in the Laras inbox and a drafted reply generated.
  9. 09Auto-send off: approve the draft and confirm delivery. Auto-send on: confirm automatic delivery inside the 24-hour window.
  10. 10Click Disconnect and confirm the connection is removed and tokens are cleared.
  11. 11Fallback paths to spot-check: (a) close the Meta popup before finishing. Laras shows "Signup was cancelled before it finished" and no row is written. (b) Let the session expire mid-flow. The Embedded Signup component clears its captured session_info on each new launch, so a stale waba_id never reaches the callback. In both cases the reviewer lands back on the Integrations page with no partial state.

Reviewer support

Test credentials and a screencast of the full flow are included with the submission. For additional access or a live walkthrough, contact help@larasx.com.

04

Compliance commitments

Owner authorization first

Laras only accesses an account after the owner connects it through Meta’s official authorization flow.

Inside policy windows

WhatsApp free-form replies are sent only inside the 24-hour customer-service window. No unsolicited messaging.

No resale or scraping

Connected data is never sold, shared with advertisers, scraped, or used for prospecting outside the conversation it came from.

Deletable on demand

Disconnect, deauthorize, and Meta data-deletion callbacks all clear tokens and references.

Business customer service only

Laras is task-scoped to a business’s own customer conversations. General-purpose / open-domain assistant behavior is disabled.

05

Policy and technical references

Endpoints

  • Instagram webhook/api/webhooks/instagram
  • WhatsApp webhook/api/webhooks/wa
  • Data-deletion callback/api/meta/data-deletion
  • Deauthorize callback/api/meta/instagram/deauthorize
Meta App Review reviewer kit | Laras