Wacrm uses the Meta Cloud API — the official WhatsApp Business API — to send and receive messages. You do not need a third-party gateway or a WhatsApp Business App installation; everything goes through Meta’s infrastructure directly. This page covers creating a Meta app, wiring up the webhook, and saving your credentials inside Wacrm so the inbox and broadcasts go live.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ArnasDon/wacrm/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
- A Meta Developer account
- A Facebook Business account verified with Meta (required to send messages outside the 24-hour session window)
- Wacrm already running and accessible at a public HTTPS URL —
localhostdoes not work for the webhook registration step (see the warning below)
Create a Meta app and add the WhatsApp product
- Go to developers.facebook.com/apps and click Create App.
- Choose Business as the app type and click Next.
- Give your app a name (e.g. “My CRM”), associate it with your Business account, and click Create App.
- In the app dashboard, find the Add products to your app section and click Set up next to WhatsApp.
Add and verify your business phone number
In the WhatsApp → Getting Started section of your app dashboard:
- Under Step 1: Select phone numbers, click Add phone number.
- Enter your business display name and select a business category.
- Enter the phone number you want to use. This number must not already be registered with WhatsApp on any device — if it is, you must first delete the existing WhatsApp account associated with it.
- Verify the number with the OTP code Meta sends via SMS or voice call.
Meta provides a free test number under Getting Started that you can use during development without registering your real business number. Messages sent to/from the test number are limited to five pre-approved recipient numbers, but it’s sufficient to validate your Wacrm setup before going live.
Collect your WhatsApp credentials
From the WhatsApp → API Setup page (formerly called “Getting Started”), copy the following:
The temporary token is fine for testing, but you must generate a permanent token before going to production. To create a permanent token:
| Credential | Where to find it |
|---|---|
| Phone Number ID | Shown in the “From” phone number selector on the API Setup page |
| WhatsApp Business Account ID (WABA ID) | Shown just above the Phone Number ID |
| Temporary Access Token | Shown on the API Setup page — valid for 24 hours |
- Go to Business Settings → System Users and create a System User with Admin role.
- Click Add Assets, assign your WhatsApp app with Full Control permission.
- Click Generate Token for that System User, select your app, and grant
whatsapp_business_messagingandwhatsapp_business_managementpermissions. - Copy the generated token — it does not expire unless explicitly revoked.
.env.local (or host environment):Set META_APP_SECRET
Wacrm verifies every inbound webhook POST using an HMAC-SHA256 signature that Meta includes in the
X-Hub-Signature-256 header. This requires your App Secret.- In the Meta app dashboard, go to App Settings → Basic.
- Click Show next to the App Secret field and copy the value.
- Set it as
META_APP_SECRETin your environment:
Register the webhook with Meta
- In your Meta app dashboard, go to WhatsApp → Configuration.
- Under Webhook, click Edit.
- Set the Callback URL to:
- Set the Verify Token to any string you choose (e.g. a long random token). You will paste this same value into Wacrm in the next step.
- Click Verify and Save. Meta sends a
GETrequest to your webhook URL withhub.mode=subscribe,hub.challenge, andhub.verify_token. Wacrm automatically responds with the challenge value if the verify token matches — no extra configuration needed. - After verification succeeds, click Manage next to the webhook subscription and enable the messages field. This subscribes your app to inbound messages, delivery receipts, and read receipts.
Wacrm handles the GET verification challenge automatically. It queries the
whatsapp_config table for a matching verify token (stored encrypted), decrypts it, and returns the challenge string as plain text — exactly as Meta’s spec requires. You do not need to write any verification code.Configure WhatsApp credentials in Wacrm
With your app deployed and the webhook registered:
- Open your Wacrm dashboard and navigate to Settings → WhatsApp.
- Paste your Permanent Access Token, Phone Number ID, WhatsApp Business Account ID, and the Verify Token you chose in the previous step.
- Click Save.
ENCRYPTION_KEY in your environment.Once saved, send a WhatsApp message to your registered number. It should appear in the Wacrm inbox within a few seconds.Webhook security
Every inbound
POST to /api/whatsapp/webhook is authenticated via the X-Hub-Signature-256 header. Meta signs the raw request body with your META_APP_SECRET using HMAC-SHA256. Wacrm verifies this signature before processing any payload — requests with a missing or invalid signature are rejected with a 401 response. This prevents spoofed webhook deliveries from injecting fake messages into your inbox.Dry-run mode for templates
When developing locally or running in CI, you can skip the actual Meta API call when submitting message templates by setting:POST /api/whatsapp/templates/submit stores the template row in the database with a synthetic dry-run-<uuid> as the meta_template_id instead of calling the Meta API. This lets you exercise the full template creation UI and test downstream flows without a real WhatsApp Business Account. Leave this unset (or set to false) in production.