They must have some sort of arrangement with Instagram as @RunscopeAPITools mentions. You are able to post comments to Instagram from Statigram, which requires special permission.

The only special request you have to send to Instagram is the request to post comments.

The API limit is 5000 requests per hour per access_token or client_id. Every user has their own access_token, so as long as the requests from the third party application uses each individual access token, they will be hard pressed to exceed 5000 per user per hour.

That works out to 83 requests per minute and any user interacting with your application is highly unlikely to hit that.

From the docs:

You are limited to 5000 requests per hour per access_token or client_id overall. Practically, this means you should (when possible) authenticate users so that limits are well outside the reach of a given user.

If you are not using user authentication, you will likely hit the limit with just your client_id.

Most likely they're using one of the following methods:

• An arrangement with Instagram
• Credential rotation
• IP rotation
• Heavy caching (especially across credentials or IPs)
• Screenscraping

In cases like this, if you don't have a special arrangement, you're almost certainly violating the terms of service. If you think your service is useful enough that Instagram would be willing to whitelist you to make more requests, get in touch with them.