Requirements
- A WhatsApp Cloud app in Meta Business Manager.
access_tokenandphone_number_idfrom the app.- A webhook endpoint that Meta can reach.
Create the WhatsApp Cloud app (quick steps)
- In Meta Business Manager, create a Meta app and add the WhatsApp product.
- In WhatsApp > API Setup, copy the Phone Number ID.
- Generate an access token (temporary for testing, or a long‑lived system user token for production).
- Pick a verify token (random string) you will use for webhook verification.
- You will need a public HTTPS URL for the webhook (use a tunnel if running locally).
Basic configuration
Recommended setup (webhook + tunnel)
WhatsApp Cloud requires a public HTTPS webhook endpoint. The safest pattern is:- Keep the gateway local-only.
- Expose only the webhook port through a tunnel (ngrok/Tailscale/Cloudflare Tunnel).
/webhook.
Webhook setup
- The gateway listens on
http://<host>:8088/webhookby default. - Meta will send a verification request with
hub.verify_token. - The adapter replies with the provided challenge when the token matches.
- For webhook POSTs, set
cloud.app_secretto verifyX-Hub-Signature-256and prevent forged requests. - In Meta’s webhook settings, subscribe to message events for the WhatsApp product.
Pairing and allowlists
WhatsApp uses the shared pairing and allowlist rules. See Security and pairing.Security tips
- Keep
gateway.public_access=false; only tunnel the webhook port, not the gateway. - Use a random
verify_tokenand store it safely. - Use
pairing.dm_policy=pairingunless you have a controlled, allowlisted setup.
Notes
- The
webhook_bindmust be reachable by Meta (often via a tunnel or reverse proxy).