You can input you data in call of function generatePostDataForSignIn() run index.html (on web server, for prevent block by CORS policy) and you will get post data for your sign in request.
You must extract the sessionid from the response header (field " Set-Cookie: sessionid=...") this will be your authorized session. You must insert a sessionid in field cookie for every http request that needs to be authorized.
WARNING
if you're using fetch or something else that doesn't have access to HttpOnly cookie fileds, then you need enable use cookie and session. Read more here
-
Do request to any instagram.com page(ex: https://www.instagram.com/accounts/login/).
Get params from response header:ig-set-password-encryption-web-key-id: ... ig-set-password-encryption-web-pub-key: ... ig-set-password-encryption-web-key-version: ...
OR
from html (GET request to any page ex: https://www.instagram.com/accounts/login/):
HTML response ex:... <script type="text/javascript">window._sharedData = { "config": { "csrf_token":"..." ... // <=== this is csrftoken ... "encryption": { "key_id":"...", // <=== ig-set-password-encryption-web-key-id "public_key":"...", // <=== ig-set-password-encryption-web-pub-key "version":"..." // <=== ig-set-password-encryption-web-key-version } ... </script> ...
-
Process the data using the algorithm described in signinEncryptData.js.
The following cryptographic algorithms and libraries are used:- AES-GCM-256
- NaCL crypto_box seal (Curve25519, Salsa20, Poly1305). crypto_box is curve25519xsalsa20poly1305, a particular combination of Curve25519, Salsa20, and Poly1305 specified in "Cryptography in NaCl".
-
Sing in post request with postData
Minimal expected headers for success authorization request.
url: "https://www.instagram.com/accounts/login/ajax/", // <=== Sign in API url headers: { "Host": "www.instagram.com", "Content-Type": "application/x-www-form-urlencoded", "X-CSRFToken": csrftoken, // <=== csrftoken "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" }, body: postData // <=== Data obtained at the second stage.
Get sessionid from response Set-Cookie sessionid in header. It's your authorized session.
WARNING Set-Cookie: sessionid is HttpOnly. Read more here.
Success response: // Header: Set-Cookie: sessionid=...; Domain=.instagram.com; expires=Sat, 10-Jul-2021 13:51:39 GMT; HttpOnly; Max-Age=31536000; Path=/; Secure // Body: { "user": true, "userId": ..., "authenticated": true, "oneTapPrompt": true, "status": "ok" }