You can help us better identify API calls from your app by making server-side calls with a HTTP header named X-Insta-Forwarded-For signed using your Client Secret. This header is optional, but recommended for any app making server-to-server calls. To enable this setting, edit your OAuth Client configuration and mark the Enforce signed header checkbox. When enabled, Instagram will check for the X-Insta-Forwarded-For HTTP header and verify its signature. The expected value is a combination of the client's IP address and a HMAC signed using the SHA256 hash algorithm with your client's IP address and Client Secret.

HTTP Header: X-Insta-Forwarded-For

Value: [IP information]|[Signature]

IP information: Comma-separated list of one or more IPs; if your app receives requests directly from clients, then it should be the client's remote IP as detected by the your app's load balancer; if your app is behind another load balancer (for example, Amazon's ELB), this should contain the exact contents of the original X-Forwarded-For header. You can use the 127.0.0.1 loopback address during testing.

Signature: Using your Client Secret, apply an HMAC with SHA256, and append the hex representation of the signature there.