TL;DR
End users of the official Meta MCP or already-approved third-party tools typically do not submit App Review themselves; they authenticate via OAuth through an app that has already been reviewed. App Review is required for developers building their own Meta app that calls the Marketing API. Using an unverified GitHub repo to access the API carries documented account suspension risk: some reports from the Meta Ads MCP ecosystem describe suspensions associated with unverified API access patterns.
Key facts:
- Meta's official MCP server launched April 29, 2026; end users connect without developer credentials, API setup, or coding (Meta for Developers)
- Meta lowered the Marketing API Access Tier threshold from 1,500 to 500 API calls in the past 15 days, effective May 4, 2026 (Meta Developer Blog)
- Meta explicitly states that apps used by people without a role on the app must undergo App Review, which is why end users connect through already-reviewed apps rather than their own (Meta App Review docs)
- Some reports from the Meta Ads MCP ecosystem describe account suspension risk associated with unverified API access patterns; treating this as confirmed enforcement policy requires a direct Meta source.
- App Review and Business Verification are two separate Meta processes with distinct review queues (Meta Business Help)
Do You Need Meta App Review for MCP?
Quick Answer
No, if you're using the official Meta MCP (mcp.facebook.com/ads) or a verified tool like AdAdvisor. Yes, if you're building your own Marketing API application or custom MCP integration.
Do you need Meta App Review?
| Situation | Need App Review? |
|---|---|
| Using official Meta MCP (mcp.facebook.com/ads) | No |
| Using AdAdvisor | No |
| Using Pipeboard | No |
| Using Ryze | No |
| Building a custom MCP integration | Yes |
| Building a SaaS tool on the Marketing API | Yes |
| Building a facebook ads api developer app | Yes |
| Forking an open-source GitHub MCP repo | Yes (if you register it as an app) |
If you're an advertiser using Meta's official MCP or a verified tool (AdAdvisor, Pipeboard, Ryze):
No App Review required. You authenticate via standard Meta Business Suite OAuth, the same browser consent flow you'd use to connect Shopify or Mailchimp to your Facebook account. Meta has already approved the app you're connecting through. According to Meta's developer documentation, this OAuth flow completes in 5-15 minutes.
If you're a developer building your own Meta app or custom MCP integration:
Yes, you need to register a Meta Developer App at developers.facebook.com, request ads_management, ads_read, and business_management permissions, and pass App Review. Review timelines vary by permission type and are not published as a fixed SLA.
The confusion happens because people hear "App Review" mentioned in MCP setup discussions and assume it's a step they need to take. It isn't, unless you're the one building the app.
What Is Meta App Review?
Meta App Review is Meta's process for approving third-party applications that request access to Marketing API features beyond basic profile data. It is the meta marketing api app review gate: required for developers building a facebook ads api developer app that accesses other users' ad accounts, not for the advertisers who use those tools.
The review process involves submitting a use case description, screenshots or a demo video of the app, a privacy policy URL, and a data use disclosure. According to Meta's developer blog, as of May 2026, Meta removed the screen recording upload requirement, and approval criteria are now visible directly in the App Dashboard under Permissions & Features.
The key distinction: App Review governs the app, not the user. Meta's App Review documentation states that apps used by people without a role on the app must undergo App Review, which is exactly why end users connect through already-reviewed apps. When you use the official Meta MCP or AdAdvisor, you are the end user connecting through their app, not the developer.
Approval process notes:
- Meta does not publish a fixed review SLA; timelines vary by permission type and use case.
- Sensitive permissions (large-scale data storage, financial data access) require additional documentation and review.
- Requirements are now visible in the App Dashboard under Permissions & Features before submission (Meta App Review docs).
App Review vs. Business Verification: What's the Difference?
These two terms are frequently confused, even in Meta's own documentation. They are separate processes with different triggers, different requirements, and different review queues.
App Review vs. Business Verification
| Meta App Review | Meta Business Verification | |
|---|---|---|
| What it is | Approval for an app's permission scope | Verification that a business entity is legitimate |
| Who does it | App developers | Business owners |
| When required | When building an app that calls the Marketing API | Tied to business eligibility and certain product/feature requirements, not solely a spend threshold |
| How long | Varies by permission type; no fixed SLA published by Meta | Can take 1-2 weeks; requires legal/business documents |
| Relevant to MCP users | Only if you're building your own app | Only if your account is flagged or you need features that require it |
Plain-language summary
App Review = "Is this app allowed to do what it's trying to do?" Business Verification = "Is the business behind this account real?" Most MCP users need neither.
How these layers connect:
User -> OAuth -> Approved App -> Marketing API- App Review validates the Approved App (capability scope: what the app is permitted to do)
- Business Verification validates the business operating it (identity trust: who is behind the account)
- OAuth is the mechanism the user interacts with; controlled by the Approved App, not the user
- Marketing API is the destination, only accessible through a registered, approved app
Meta maintains these as two separate review mechanisms because they govern different trust dimensions. App Review controls capability scope: whether a specific application is authorized to invoke specific Marketing API permissions. Meta Business Verification controls identity trust: whether the entity operating an ad account is a verified, legally registered business. A developer can pass App Review without Business Verification, and vice versa.
The Real Risk: Unverified GitHub MCP Repos
The more practical question for most people reading this isn't whether they need to submit an App Review. It's whether the tool they're already using puts their account at risk.
Note
This section is risk guidance based on how Meta's API access policies work and reports from the developer community, not a confirmed enforcement policy statement from Meta.
Meta's Platform Terms require that apps accessing the Marketing API be registered and approved. An unverified GitHub repo that calls the Marketing API with a personal access token, with no registered app, no rate limiting, and no proper OAuth, operates outside that framework. Multiple reports from developer forums through Q1 2026 describe account suspensions associated with this type of unverified API access pattern. The underlying risk is structural: using the Marketing API outside a registered, approved app means operating in a way Meta's Platform Terms do not permit.
Two paths are currently safe:
- Meta's official MCP (
mcp.facebook.com/ads): Meta hosts the authentication, no token paste required, launched April 29, 2026 - Verified third-party apps such as AdAdvisor that passed Meta's App Review with scoped permissions and explicit rate limiting on every API request
What to avoid:
- Forking a GitHub repo and connecting it to your live ad account with a personal access token
- Any MCP server that asks you to paste a raw Marketing API access token directly into a config file or chat interface
- Self-hosted MCPs where you cannot confirm the underlying app is registered with Meta as a developer app
How to tell if a tool is safe
Check the authentication method. Standard Meta OAuth opens a Meta-hosted browser login and permissions screen; the underlying app is registered. A tool that asks you to paste a personal access token is almost certainly unregistered. Token-paste = unregistered app = account risk.
What "Already Approved" Means for AdAdvisor Users
AdAdvisor states that it passed both Meta's App Review and Business Verification during the development of the AdAdvisor MCP. According to AdAdvisor, end users connect through a pre-approved app with declared, scoped permissions, not through an unregistered integration. This is a vendor claim; to verify it independently, look for the standard Meta OAuth browser flow when connecting, which is the visible indicator that the underlying app is registered.
AdAdvisor users connect via a standard Meta OAuth browser flow, the same consent screen used when connecting any verified third-party app to a Meta Business account. No developer registration, no document submission, and no approval wait on the user's end. The ads_management and related permissions that AdAdvisor requests are the permissions Meta approved during App Review. The account suspension risk from unverified tools does not apply to AdAdvisor connections.
If You Do Need App Review: What to Expect
This section is for developers building their own Meta integrations, not for advertisers using existing tools.
Step-by-step process
Register a Meta Developer App
Go to developers.facebook.com and create a new app. Select the app type appropriate for your use case.
Add required permissions
Add the ads_management, ads_read, and business_management permissions to your app from the App Dashboard.
Build and test in development mode
Build your integration and test it in development mode. During this phase, the app is only accessible to app admins and testers you have added.
Prepare your App Review submission
Gather your materials: use case description, demo screenshots or video, privacy policy URL, and data use disclosure.
Review requirements in App Dashboard
Check Permissions & Features in your App Dashboard before submitting. As of May 2026, all requirements are fully visible without contacting Meta support.
Submit and wait for review
Submit your App Review. Meta does not publish a fixed SLA; timelines vary by permission type and use case.
Prepare for additional review if needed
Sensitive permissions or apps requesting large-scale data access require additional documentation. Allow extra time accordingly.
Go live once approved
Once approved, your app can authenticate the accounts you manage. Other users can connect if you configure the app for public use.
According to Meta's May 2026 developer update, the eligibility threshold for the Marketing API Access Tier (formerly Ads Management Standard Access) is now 500 API calls in the past 15 days, down from 1,500. The screen recording upload requirement has also been removed.
Frequently Asked Questions
Frequently Asked Questions
Summary
End users of the official Meta MCP or a verified tool like AdAdvisor do not submit App Review themselves; they connect through an already-reviewed app via standard OAuth. Developers building their own Meta MCP integrations or custom Marketing API apps do need App Review; Meta does not publish a fixed timeline, and requirements vary by permission type. The risk to be aware of is unverified API access: some reports describe account suspensions associated with unverified GitHub-based integrations that accessed the Marketing API outside a registered app context. The two structurally safe paths are Meta's official MCP server (mcp.facebook.com/ads) and third-party apps that completed Meta's App Review with scoped permissions and proper OAuth.
See how the official Meta MCP and AdAdvisor compare for setup and safety
Compare setup requirements, safety features, and account risk between Meta's official MCP server and AdAdvisor.
Read more
