Instagram returns 401 when trying to load a page with no valid user session [closed]

We're facing a strange issue when we try to access an existing instagram page (ex.: https://www.instagram.com/sapo) from any browser and the user doesn't have a valid session (ie, the user is not logged in). When this happens, we've noticed that the GET requests for the /graphql/query/ urls always return 401.

For instance, here's an example of one of those requests:

GET /graphql/query/?query_id=9957820854288654&user_id=1237217658&include_chaining=false&include_reel=true&include_suggested_users=false&include_logged_out_extras=true&include_live_status=false&include_highlight_reels=true&__s=%3A%3Ax9a999 HTTP/3Host: www.instagram.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdX-Mid: 1o8k9p311lkopr6ososd8rs9pp9ccxsn8n0hfn1sml3jf1jbfib1X-CSRFToken: g9UJyzLKOT1VDfgXYtvF1_X-IG-App-ID: 936619743392459X-ASBD-ID: 129477X-IG-WWW-Claim: 0X-Web-Device-Id: F9B1761B-61DD-44A6-A4C5-BD3B591EFDDFX-Requested-With: XMLHttpRequestDNT: 1Sec-GPC: 1Connection: keep-aliveReferer: https://www.instagram.com/sapo/Cookie: csrftoken=g9UJyzLKOT1VDfgXYtvF1_Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTE: trailers

And here's the answer we're getting back (http headers and body):

HTTP/3 401 content-type: application/json; charset=utf-8date: Wed, 13 Nov 2024 14:52:54 GMTvary: Accept-Language, Cookiecontent-language: enstrict-transport-security: max-age=31536000cache-control: private, no-cache, no-store, must-revalidatepragma: no-cacheexpires: Sat, 01 Jan 2000 00:00:00 GMTx-ig-snorlax-chunk-sleepms: 100x-frame-options: SAMEORIGINcontent-security-policy: report-uri https://www.instagram.com/security/csp_report/; default-src 'self' https://www.instagram.com; img-src data: blob: https://*.fbcdn.net https://*.instagram.com https://*.cdninstagram.com https://*.facebook.com https://*.fbsbx.com https://*.threads.net; font-src data: https://*.fbcdn.net https://*.instagram.com https://*.cdninstagram.com; media-src 'self' blob: https://www.instagram.com https://*.cdninstagram.com https://*.fbcdn.net; manifest-src 'self' https://www.instagram.com; script-src 'self' https://instagram.com https://www.instagram.com https://*.www.instagram.com https://*.cdninstagram.com wss://www.instagram.com https://*.facebook.com https://*.fbcdn.net https://*.facebook.net 'unsafe-inline''unsafe-eval' blob:; style-src 'self' https://*.www.instagram.com https://www.instagram.com 'unsafe-inline'; connect-src 'self' https://instagram.com https://www.instagram.com https://*.www.instagram.com https://graph.instagram.com https://*.graph.instagram.com https://i.instagram.com/graphql_www https://graphql.instagram.com https://*.cdninstagram.com https://api.instagram.com https://i.instagram.com https://*.i.instagram.com https://*.od.instagram.com https://i.threads.net https://*.od.threads.net wss://www.instagram.com wss://edge-chat.instagram.com https://*.facebook.com https://*.fbcdn.net https://*.facebook.net chrome-extension://boadgeojelhgndaghljhdicfkmllpafd blob:; worker-src 'self' blob: https://www.instagram.com; frame-src 'self' https://instagram.com https://www.instagram.com https://*.instagram.com https://staticxx.facebook.com https://www.facebook.com https://web.facebook.com https://connect.facebook.net https://m.facebook.com https://*.fbsbx.com; object-src 'none'; upgrade-insecure-requestscross-origin-embedder-policy-report-only: require-corp;report-to="coep"report-to: {"group": "coep", "max_age": 86400, "endpoints": [{"url": "/security/coep_report/"}]},{"group": "coop", "max_age": 86400, "endpoints": [{"url": "/security/coop_report/"}]}cross-origin-opener-policy: same-origin-allow-popups;report-to="coop"x-content-type-options: nosniffx-xss-protection: 0x-ig-push-state: c2x-ig-cache-control: no-cachex-aed: 299x-ig-request-elapsed-time-ms: 98x-ig-peak-v2: 0x-ig-peak-time: 1x-stack: distilleryset-cookie: csrftoken=""; Domain=instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; Domain=.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; Domain=i.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; Domain=.i.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; Domain=www.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; Domain=.www.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; Domain=.threads.net; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: csrftoken=""; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=i.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=.i.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=www.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=.www.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; Domain=.threads.net; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: mid=""; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=i.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=.i.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=www.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=.www.instagram.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; Domain=.threads.net; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/set-cookie: ig_did=""; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/content-length: 119x-ig-origin-region: ldcproxy-status: http_request_error; e_proxy="AcLnB2xuH67M-pEnM_qNvgFk2Rj962DBGmsWftnjLA3cBIdKO6yGLU-hvuk40x-Hd_4hJWx_rpxZgSErv37o"; e_fb_binaryversion="AcLenoX5kE6GTSZM_2H07SXE7nPL51GuQ1XMYdsKjz80FOQMOKc9Pi-FyYzVv9RnZDdiUEygZ9W6JcpOEfb-63OqbeIuYcCEFjA"; e_fb_httpversion="AcLU8h9eZvOAQfTdcknO6vnVdq6FXy6PNEUIS1n6G7-VC1cLrA9482Bp-Skq"; e_fb_responsebytes="AcKnINwQzDQ3ECc2UTlpqBQ77W6ZddTB8dl97LCGNXAY5frRQ8F3LJ5fSskA"; e_fb_requesttime="AcIfktjHDcWj2TzhTkKFqpO3JLqEohJPuZMDVEYCZIb-A2y--aWnjMCHEMJJYUINyTrdLrMuOw"; e_fb_requesthandler="AcLmcbNhROn2ykrBL9IlDHwMtRw8dpjICJGax_X78hMQTllMhpXoBwetjV3GByIWbikCrSMhWYysIhqKbw"; e_fb_hostheader="AcJ5OM8SD8Xn7Vdn64YCDihgSPKPFt6SeBdMrhiPMXTGwJpIqwlCPsZDe9Ky7A06idlIVqR8Kr1L1Zo"; e_fb_requestsequencenumber="AcJWCb7audmpjLXFad28P2c0UqwmqZakKlBkl5fZd0F2poROrIQvkX2D2b3DcQ"; e_upip="AcIm9E7r2nOx3YjBkwdTtuZWrFxW4W9HvISSMp-5wm9VyZqzGc5oIXVWi0EX2zaqCI-85RawpwY6YCGFUSwxtMAy0-wsNXgDgk4"; e_fb_builduser="AcKn-k1iG_FWonXxhqx58hXV_d13oVL6i1JJN2OqFV86OfgC1d59I0Us7NnZ8m5ZPAI"; e_fb_vipport="AcLll78acRCGNOSXtL0IOd3w9wZxraWjYicmU9tLJAq7F2uohO-z4vl7OIBF"; e_clientaddr="AcJWiuR-LbO-R7oHYNJUDSleZXlXKqJilESgAMwv0a1Uuqoa0U2GvblKfmtGTqLNI0-KSRIKqy0_FFK2avWLTphOWt8PtSdNfZMhTrv1e3dRoXVneQ"; e_fb_vipaddr="AcJhQawsppF_ZKS-O1SHKKMnk8YgoDkcryhs75lndgsQgeU7qQlHkjyoJxF9aKooUadXytrxTcv7lGtdL3LkGtm6QYMRGacvsoK-0ZY"; e_fb_configversion="AcIouy1I6RF3yTd9ufvhLO44SdFEmkjjxvGL_r40IW6Azbz3FKDq-ORzPn4oxA", http_request_error; e_proxy="AcJ7M9QqNyypAs5Q1JD8nl9zu7ndRpkb3YOHSsXwWj_Fshg7ACKdckE62hfqb-XGPAbIHDM7gIOo2sw"; e_fb_binaryversion="AcLMfBpZ7-XF83d36PkLa1qukFWhWl7flcKc9_Wg7u6PvUB7QiR7_f2hEsgOGXrpX9O-RpTkuECuvXf7dYm-aVzLxiyfWVr0oIk"; e_fb_httpversion="AcJmbExw4Tc-kRBhDKe-eOZIOghdkH5dffwdtp7z4HbLy8POF-UtbteTcLt9"; e_fb_responsebytes="AcIkqq8z5U1JAmjbAA2moy_pOy-S4So9K4cF_BEIDyC3KijHuGdDQPmQK1er"; e_fb_requesttime="AcIpF4RZIfvryAdZSwIewmIzrD5EhGLcrXV5oeV0ydh9fvZ9ff2r3cwF9xBShq3tdgu50H6CXw"; e_fb_requesthandler="AcLpUbQqOGRtmqvsdAQcMQ-1pDDPPSkhbnVwSnCRReS-rOc081m72dfjKpFeDUJUqzxilUqEX1aaVQ"; e_fb_hostheader="AcL3RDdI6uHlyTaS_iTDkJDCHeIMQKEHBuH_eOlX36oJHIpr9SCoYxC-xk60pjxBH42lupngxNGpbJE"; e_fb_requestsequencenumber="AcK7sR6_K1T7yPCD2dggdWlH9ovPfQcCCHTpz-7XDbPVio-y-kxPG8Xmrzw"; e_upip="AcInMKhOsX8fdpAqoiDsHCIQanV3Wj9c6hNzf0cn3IjLGKgfDHyGPwvMiWBGq-JvPR2UcKYolJ3rhb21cF2JYz78MS1R4YlVERMo68M"; e_fb_builduser="AcKMjoRSwTzTfw_S_emRqHKufqj_isEi-iRSkSjmJQjk60ewJYxpNxW1E5cfdyOrTcQ"; e_fb_vipport="AcK0kwkEAWBe6LqUE7hAUw1JnKud3LPwoa530VVr5NnDhYROInslg3v8C8qz"; e_clientaddr="AcJVmiGZVMEJ_8phm-bxmXukHz6ycH-B5rF0ah9JajrlYxD204XH2bEjDLJi9h1Rg2mt5Ks4gCqNJuNfBQ"; e_fb_vipaddr="AcLAuOyG5pyGZWHB3GoCfW2AKZUrW-wqaAp7JqRiWnVl4P2WqB68iMxhiox1K176b_6-RsRjidd5"; e_fb_configversion="AcIY6JVZHsE766aa7Prcn9Xwt0OxzmgcH1Ly5iEa-kNuRZtSBERTosG4N4vWGzp7uqQIy8iuXUL855chGxH4waViJCwTMrdSYHM"alt-svc: h3=":443"; ma=86400priority: u=3,i{"message":"Please wait a few minutes before you try again.","require_login":true,"igweb_rollout":true,"status":"fail"}

When there's a valid user session, the query requests are done through posts.

Any ideas on what might cause this?

I mean, the message does seem to imply that there's some sort of rate-limiting error, but I'm not sure if instagram applies these type of limits to anonymous requests (ie, requests which are not associated with a valid login session) coming from the same IP.

PS: the request goes through a fortigate which applies several security filters, but it's not logging any errors or isses (so, it looks like the 401 is being returned from instagram's servers).

Thanks.