instagrapi vs Osintgram vs insto: Instagram OSINT in Python
Updated
These three projects keep showing up together in Instagram OSINT threads, and the relationship between them is not always obvious. They sit at different layers: Osintgram is a command-line tool with a fixed vocabulary, instagrapi is the Python library you build OSINT tooling on, and insto is a modern interactive CLI by the same team that maintains instagrapi. The wrinkle that shifts the picture in 2026 is that Osintgram itself merged HikerAPI integration in PR #2586 on 2025-08-11 — the canonical OSS Instagram OSINT tool now ships a managed-API backend out of the box. This guide walks through what each of the three is, what changed when that PR landed, and which one is right for which job.
TL;DR
- Osintgram (
Datalux/Osintgram, 12.7K ⭐) — the canonical Instagram OSINT CLI. Battle-tested command vocabulary (addrs,mediatype,tagged,phone,email,propic). Historically required a working Instagram login and suffered the matching login-flow pain. As of PR #2586 it can route through HikerAPI instead. - instagrapi (
subzeroid/instagrapi, 6.1K ⭐) — the Python library. Not an OSINT tool itself; the substrate every Python OSINT tool for Instagram is built on, including the newhikerclimodule inside Osintgram. - insto (
subzeroid/insto) — modern interactive REPL by theinstagrapimaintainers. HikerAPI is the default backend,aiograpiis the optional fallback. Snapshot/watch/diff in a local SQLite store and Maltego CSV export are the headline features.
What each one actually is
Osintgram is a CLI you launch against a single target (python3 main.py <username>) and then issue commands inside an interactive shell. The command vocabulary is the project’s main asset: there is a documented verb for every common OSINT question — get followers and following, list photos a user is tagged in, extract phone numbers and email addresses from bios, dump locations of recent posts, fetch the high-resolution profile picture. The CLI itself has not changed shape much in years, and that stability is part of its appeal: tutorials, blog posts, and university course material reference its commands by name. The code is MIT-licensed and the entry barrier is git clone plus pip install.
instagrapi is not a tool. It is a Python library that wraps Instagram’s private mobile API, with typed pydantic responses, a Client class for synchronous use and a sister project (aiograpi) for async. People build OSINT tools on top of it; Osintgram’s new hikercli module is exactly that — a focused Python module that uses the HikerAPI service to back a subset of Osintgram’s commands with public-profile-safe data. If you are not building a tool but using one, you do not need to know instagrapi exists. If you are building a tool, you almost certainly do.
insto takes a different design choice from Osintgram. Instead of one-shot commands run inside a shell, insto is a REPL: you load a target, run queries against it, persist the result to a local SQLite store (~/.insto/store.db), and then re-run those queries later to diff against the snapshot. Watching a target over time — new followers, removed posts, biography changes — is a first-class operation rather than a manual export workflow. HikerAPI is the default backend (so no Instagram login), aiograpi is opt-in for users who already have a hardened login session and prefer to use it.
The login problem (and what changed in PR #2586)
Osintgram historically asked for an Instagram username and password in credentials.ini. Every command then ran against Instagram’s private mobile API as that user. This is the same surface instagrapi wraps, and the same surface that produces the long tail of challenge_required, feedback_required, login_required, and silent shadow-bans you read about in the issue trackers. The problem is structural: an Instagram account that performs OSINT-shaped traffic — pulling many followers lists, hitting many profiles in a short window, scraping tagged posts at scale — is exactly the traffic shape Instagram’s anti-abuse system was built to flag. Even with proxies and pacing, the account that holds the session is a liability.
PR #2586 (merged 2025-08-11) added a new src/hikercli.py module — a 1205-line drop-in that re-implements Osintgram’s command surface against HikerAPI’s HTTPS endpoints. The README diff is short and tells the story:
- 6. Open the credentials.ini and write your Instagram username and password
+ 6. ...write your Instagram account username and password. Or use
+ `hikerapi_token` from https://hikerapi.com/tokens (first 100 requests
+ are free after registration and confirmation of your tg)
+ * Or execute using HikerAPI token via env
+ HIKERAPI_TOKEN=<token> python3 main.py <target> -c <command>The behavior is opt-in: if HIKERAPI_TOKEN is set, commands route through hikercli; if not, the original credentials.ini flow is preserved. Existing tutorials and downstream scripts keep working. New users — or existing users tired of resetting yet another flagged account — set the env var and stop thinking about login.
Capability matrix
| Capability | Osintgram (login) | Osintgram + hikercli | insto | instagrapi (library) |
|---|---|---|---|---|
| Profile metadata | ✅ | ✅ | ✅ | ✅ |
| Followers / following | ✅ | ✅ | ✅ | ✅ |
| Tagged photos | ✅ | ✅ | ✅ | ✅ |
| Comments + mentions | ✅ | ✅ | ✅ | ✅ |
| Story OSINT | ✅ | ✅ | ✅ | ✅ |
| Phone / email extraction from bio | ✅ | ✅ | partial | manual |
| Snapshot + diff over time | ❌ | ❌ | ✅ | manual |
| Maltego CSV export | ❌ | ❌ | ✅ | manual |
| Async / batch | ❌ | ❌ | partial | ✅ via aiograpi |
| Requires Instagram account | ✅ | ❌ | ❌ | ✅ |
| Surface area as a library import | ❌ | ❌ | ❌ | ✅ |
The last two rows are the ones that actually decide which tool you reach for. If you need a Python library you can import and compose, instagrapi is the only answer. If you need a CLI and you are willing to maintain an Instagram account just for OSINT, plain Osintgram still works. If you want a CLI and you do not want to maintain an Instagram account, the choice is between Osintgram + hikercli (familiar vocabulary) and insto (REPL with diff + export).
When to pick which
Pick Osintgram (with HIKERAPI_TOKEN) when:
- You’re following an existing tutorial, university course, or blog post that lists Osintgram commands by name.
- Your team already knows the verbs (
addrs,mediatype,tagged) and you want to keep that muscle memory. - You want a single-target, one-shot CLI rather than a long-lived interactive session.
Pick insto when:
- You’re starting fresh and want HikerAPI-native ergonomics from the first command.
- You need to watch a target over time — daily snapshots, diffs of who unfollowed, what posts disappeared.
- You’re handing the output to Maltego or another graph tool that ingests CSV.
Pick instagrapi (the library) when:
- You’re building a service or pipeline rather than running a CLI session.
- You need verbs no CLI exposes — custom hashtag-and-location intersection walks, bespoke clustering, machine-learning pre-processing.
- You want typed pydantic responses you can hand to FastAPI, push onto a queue, or dump into a warehouse without writing your own validators.
For most teams the honest answer is “two of the three”: instagrapi (or aiograpi) for the heavy custom work, plus insto or Osintgram + hikercli for the interactive ad-hoc questions where opening a Python REPL is overkill.
Two CLIs, one underlying API
It’s worth being explicit about this because the architecture choice matters more than the brand. insto and Osintgram + hikercli are not competitors at the data layer — they call the same HikerAPI endpoints, get the same JSON back, and rate-limit against the same quotas. The choice between them is a UX choice: command vocabulary versus REPL with persistence, single-shot versus long-lived session, fresh design versus established tutorials. The fact that the canonical Instagram OSINT tool merged this integration is the architectural signal — the OSS community evaluated the trade-off (account safety vs login freedom) and shipped the safer path as a first-class option.
If you’re writing a new OSINT tool of your own, the same pattern applies: build against instagrapi or HikerAPI directly, expose HikerAPI as the default backend, and treat session-based access as the fallback for users who already have a hardened account.
Wrapping up
The three projects answer different questions: which CLI vocabulary do I want (Osintgram vs insto), do I need an Instagram account in the loop (yes for plain Osintgram, no for either with HikerAPI), and am I building a tool or using one (instagrapi for the former, the CLIs for the latter). Since 2025-08-11 the second question has had a clean opt-in answer for both — and that has knock-on effects for the first, because once login is out of the picture, most teams pick the CLI based on snapshot/diff support and export ergonomics rather than account-safety nuance. Start with insto for fresh OSINT work, keep Osintgram + hikercli for existing playbooks, reach for instagrapi directly when you need to compose your own.
Related guides
- Instagram Private API in Python: a practical guide with instagrapi How to use Instagram's private (mobile) API from Python with instagrapi. Login, session reuse, fetching media, posting, and avoiding common errors.
- Instagram scraper in Python: a working setup with instagrapi Build a working Instagram scraper in Python using instagrapi. Fetch users, posts, stories, hashtags; store JSON; respect rate limits.
- Handling instagrapi 2FA and challenge_required errors in Python Resolve instagrapi 2FA prompts and challenge_required errors: SMS, email, and TOTP flows with working callback handlers.
- instagrapi vs instaloader: which Python Instagram library should you use? instagrapi vs instaloader compared: API surface, login, posting, downloading, async support, and the right tool for each use case.
Frequently asked
Is Osintgram still maintained?
Yes. PR #2586 — adding HikerAPI integration via a new `hikercli` module — was merged into `Datalux/Osintgram` on 2025-08-11. The project still accepts contributions; the issue tracker has a heavy backlog around login flow, which the HikerAPI path is designed to bypass.
Do I still need an Instagram account to use Osintgram?
No. With `HIKERAPI_TOKEN` set in your environment, Osintgram routes through HikerAPI and skips Instagram login entirely. The original `credentials.ini` username/password path still works as a fallback for endpoints that genuinely require a logged-in viewer.
What's the difference between insto and Osintgram with hikercli?
Same underlying backend (HikerAPI), different UX. `insto` is a REPL with snapshot/watch/diff stored in `~/.insto/store.db` and a Maltego CSV exporter. Osintgram-with-hikercli keeps Osintgram's command vocabulary (`addrs`, `mediatype`, `tagged`) but routes those calls through HikerAPI instead of an Instagram session.
Why would I run Osintgram with credentials.ini in 2026?
Almost always: don't. The credentials.ini path requires a real Instagram account that survives `challenge_required`, `feedback_required`, and abuse-signal bans long enough to be useful. For public-profile intelligence the HikerAPI path is both safer and more reliable.
Can I use instagrapi for OSINT directly?
Yes — that's the third layer. Both `insto` and Osintgram's `hikercli` module ultimately call the same Instagram private-API surface that `instagrapi` wraps in Python. If you want a custom OSINT pipeline rather than a CLI's built-in vocabulary, importing `instagrapi` (or `aiograpi` for async) gives you the full surface to build against.
Skip the infra?
Interactive Instagram OSINT CLI, powered by HikerAPI.
Try insto → Full comparison