Webhook endpoints
| Method | Path | Purpose |
|---|---|---|
GET | /api/webhook | Meta webhook verification (hub challenge) |
POST | /api/webhook | Inbound messages and status updates |
Authorization header is needed. Security is provided by HMAC signature verification on POST requests.
Webhook verification (GET)
When you register your webhook URL in Meta, Meta sends a GET request to verify ownership:hub.verify_token matches the Webhook Verify Token stored in your workspace settings. If it matches, it responds with the hub.challenge value and a 200 status.
If verification fails, check that the Verify Token in Meta matches exactly what you entered in Settings → WhatsApp Setup.
Inbound events (POST)
Meta sends a POST request for every event — incoming messages, delivery receipts, read receipts.Signature verification
Every POST request includes anx-hub-signature-256 header:
HMAC-SHA256(raw_body, app_secret) and compares it to the header value. Requests that fail signature verification are rejected with 403 Forbidden.
The app_secret is the App Secret stored in your workspace WhatsApp settings (from Meta → Settings → Basic).
Example: inbound text message
Example: delivery status update
sent, delivered, read, failed.
Retry behaviour
Meta retries failed webhook deliveries (non-2xx responses) with exponential backoff. WapNotify deduplicates messages using thewa_message_id field — receiving the same message ID twice is safe.