How much does the WhatsApp Profile API cost?

There are four tiers: BASIC is free with 50 requests/month, PRO is $35/month for 10,000 requests, ULTRA is $139/month for 50,000 requests, and MEGA is $449/month for 500,000 requests. Pay-As-You-Go credits are also available from $40 per 50,000 requests with crypto or $50 via PayPal.

What information does the API return?

The API returns whether a number is registered on WhatsApp, the public profile picture URL, the display name, the about/status text, and flags for WhatsApp Business and Enterprise accounts. Fields return null when the target user has restricted visibility in their WhatsApp privacy settings.

Does the lookup notify the target WhatsApp account?

No. The lookup is silent. It does not trigger the 'online' status, blue ticks, or any notification. It performs a directory-level existence query plus a read of public profile data the target has chosen to expose.

Can I access the API through RapidAPI or Apify?

Yes. The same JSON response is available on three channels: direct purchase (lowest per-request price), RapidAPI marketplace (fastest setup), and Apify Actor (no-code friendly). Direct purchase typically saves ~20% versus the equivalent RapidAPI-channel usage.

What is the difference between the Verify Token and the App Secret in WhatsApp webhooks?

They do two different jobs. The Verify Token is a string you invent and type into the dashboard; Meta sends it back once during the GET handshake (as hub.verify_token) so you can confirm the request is the expected setup call. It is not used after setup. The App Secret is your application's secret key, and Meta uses it to HMAC-sign every POST body, delivered in the X-Hub-Signature-256 header. You validate ongoing notifications with the App Secret, never the Verify Token.

Why does my X-Hub-Signature-256 validation always fail?

Almost always because you are hashing the wrong bytes. Meta signs the raw request body, but if your code parses the JSON and then re-serializes it (for example JSON.stringify(req.body)) before hashing, whitespace, key order and Unicode escaping change, so the computed HMAC will not match. Capture the raw buffer — for example with express.json's verify hook or express.raw, mounted before your route so req.rawBody exists — and HMAC that exact buffer with your App Secret. Also confirm you are using the App Secret as the key, comparing with sha256= prefixed, and using crypto.timingSafeEqual.

What happens if my webhook endpoint is down or returns an error?

Meta treats any non-200 response or timeout as a failed delivery and retries with exponential backoff for up to roughly seven days, then drops the event permanently — there is no dead-letter queue and no way to ask Meta to replay it. Note that if you receive events through a BSP rather than Meta directly, the effective retry window may be shorter than seven days, so confirm the policy with your provider. Either way, validate, return 200 quickly, and process asynchronously: a slow or throwing handler risks both unnecessary retries and, eventually, lost events.

How fast does my WhatsApp webhook need to respond?

Fast. Meta's commonly cited acknowledgement timeout is around 5 seconds (some BSPs document up to 10), so design for the lower bound. The reliable pattern is to validate the signature, return HTTP 200 immediately, and push the actual work onto a queue to process asynchronously. If you do the heavy lifting inline and exceed the timeout, Meta treats the delivery as failed and retries it, which multiplies your load and can cause duplicate processing.

Do I get duplicate webhook events, and how do I handle them?

Yes. WhatsApp delivery is at-least-once, so duplicates are expected, not exceptional. Make your handler idempotent by deduplicating on the message id — messages[].id for inbound messages and statuses[].id for status receipts. A common implementation is a Redis SET with NX (SETNX) and a TTL of about a day: the first time you see an id you claim the key and process the event; if the key already exists, you skip it.

Can I test WhatsApp webhooks on localhost?

Not directly, because Meta only sends events to a public HTTPS URL with a valid certificate. Use a tunneling tool such as ngrok to expose your local port over HTTPS, then register that URL (for example https:// .ngrok.app/webhook) as your Callback URL. Note that Meta validates the domain and certificate, so ngrok's free random domains can be unreliable for this integration — a reserved domain on a paid plan is the dependable choice, and ngrok's request inspector lets you replay deliveries while you debug.

Is it against WhatsApp's Terms to receive messages with an unofficial library instead of webhooks?

Yes. Unofficial libraries that automate the WhatsApp consumer or Web client — such as whatsapp-web.js, Baileys and WAHA — are not authorized by Meta and violate WhatsApp's Terms of Service, with real risk of the number being banned. The compliant way to receive messages programmatically is the official Cloud API with webhooks (this guide) or a Meta Business Solution Provider. If you only need to verify numbers or read public profile data, a read-only lookup API avoids messaging entirely.

Home
/
Blog
/
Handling WhatsApp Webhooks: A Developer Guide

Guides

13 min read May 20, 2026

Handling WhatsApp Webhooks: A Developer Guide

Name: WhatsApp Profile API
Availability: InStock
Rating: 4.5 (162 reviews)
Author: Eduardo Airaudo

A security-forward, end-to-end guide to receiving WhatsApp Cloud API webhooks — the verification handshake, message and status payloads, HMAC signature validation, idempotent retry handling, and local testing with ngrok, plus a working Express receiver.

Key takeaways

WhatsApp webhooks are part of the Meta-hosted WhatsApp Cloud API. You register one Callback URL plus a Verify Token in the Meta App Dashboard under WhatsApp - Configuration.
Setup is a one-time GET handshake: Meta sends hub.mode, hub.verify_token and hub.challenge; you check mode and token, then echo back hub.challenge with HTTP 200 (403 on mismatch).
Every notification is a POST. Inbound messages arrive in value.messages[]; delivery receipts in value.statuses[] with status values sent, delivered, read, failed (and the conditional deleted).
Always validate the X-Hub-Signature-256 header: HMAC-SHA256 over the raw request body, keyed by your App Secret, compared with crypto.timingSafeEqual. Never re-serialize the parsed JSON first.
Delivery is at-least-once, so duplicates are normal. Acknowledge within ~5 seconds, process async, and deduplicate on the message id. Meta retries failures with backoff for up to ~7 days (shorter behind some BSPs), then drops the event.

What WhatsApp webhooks are (and which API they belong to)

If you want your app to react to incoming WhatsApp messages or know when a message you sent was delivered or read, you do not poll an endpoint — WhatsApp pushes events to you over HTTPS. Those pushes are webhooks. This guide is about the official path: the WhatsApp Cloud API, part of Meta's WhatsApp Business Platform. The Cloud API is Meta-hosted and is the sanctioned replacement for the deprecated, self-hosted On-Premises API. Everything here is configured in the Meta App Dashboard under WhatsApp - Configuration.

Webhooks are a Meta-wide mechanism, so the shapes you will see are the same family used across Facebook products. For WhatsApp the relevant object type is whatsapp_business_account (the WABA). A single Callback URL receives two things you care about most: inbound messages from users, and status receipts for the messages you send. Both arrive as HTTP POST requests with a JSON body, and your job is to verify them, acknowledge them quickly, and process them reliably.

Official Cloud API vs unofficial libraries

These webhooks belong to Meta's official Cloud API, which is the only ToS-compliant route. Unofficial tools that automate the WhatsApp consumer or Web client — whatsapp-web.js, Baileys, WAHA and similar — are not authorized by Meta and violate WhatsApp's Terms, risking number and account bans. If you need to receive messages programmatically and stay compliant, use the Cloud API directly or go through a Meta Business Solution Provider (BSP).

Code assumptions in this guide

The examples target Node.js 18+ (the optional chaining ?? and the WHATWG features it implies are stable there) and use CommonJS require(). The redis and queue references are illustrative client placeholders — substitute your own clients (for example node-redis / ioredis and BullMQ) and wire up their connections; they are not globals that exist by default.

Step 1: the verification handshake (hub.challenge)

Before Meta will send you any events, it confirms that you own the Callback URL. The moment you save the URL in the dashboard, Meta sends a single GET request to it with three query parameters: hub.mode (always the string subscribe), hub.verify_token (the exact string you typed into the Verify Token field), and hub.challenge (a random string Meta generates).

Your endpoint must check that hub.mode equals subscribe and that hub.verify_token matches the token you configured, then respond with HTTP 200 and the value of hub.challenge as the plain-text body. If either check fails, return 403. One Express gotcha: the parameter names literally contain dots, so you read them with bracket notation — req.query["hub.mode"], not req.query.hub.mode. The Verify Token is used only during this one-time setup; it is not a per-message credential, so do not rely on it to authenticate ongoing notifications.

JAVASCRIPT

// GET /webhook — Meta's one-time verification handshake
app.get("/webhook", (req, res) => {
  const mode = req.query["hub.mode"];
  const token = req.query["hub.verify_token"];
  const challenge = req.query["hub.challenge"];

  if (mode === "subscribe" && token === process.env.VERIFY_TOKEN) {
    // Echo the challenge back as the plain response body.
    return res.status(200).send(challenge);
  }
  // Wrong mode or mismatched token.
  return res.sendStatus(403);
});

Step 2: understanding the POST payload structure

Once verified, real events arrive as POST requests. The envelope is consistent: a top-level object set to whatsapp_business_account, then an entry array. Each entry has an id (your WABA id) and a changes array. Each change carries a field (for messaging this is messages) and a value object that holds the actual content. Note the nesting — entry and changes are both arrays, so a single delivery can batch several events, and your code must loop, not index blindly at [0].

Inside value, inbound messages live in value.messages[] and outbound delivery receipts live in value.statuses[]. The two are mutually exclusive within a given change. Below is a real-shape inbound text message.

JSON

{
  "object": "whatsapp_business_account",
  "entry": [{
    "id": "<WABA_ID>",
    "changes": [{
      "field": "messages",
      "value": {
        "messaging_product": "whatsapp",
        "metadata": { "display_phone_number": "...", "phone_number_id": "..." },
        "contacts": [{ "profile": { "name": "..." }, "wa_id": "..." }],
        "messages": [{
          "from": "...",
          "id": "wamid....",
          "timestamp": "...",
          "type": "text",
          "text": { "body": "Hi!" }
        }]
      }
    }]
  }]
}

The message id (the wamid... value) is the most important field for reliability — it is your idempotency key, covered later. The type field tells you how to read the body: a text message has a text.body, while images, audio, location, interactive replies and so on each have their own sub-object. The contacts[] array gives you the sender's wa_id and public profile name in the same payload.

Status receipts: sent, delivered, read, failed

When you send a message, Meta reports its lifecycle back to the same webhook as a value.statuses[] entry. Each status has an id (the wamid of the message you sent), a status string, a timestamp, the recipient_id, and — for billable conversations — conversation and pricing sub-objects. The status string moves through a predictable set of values.

status value	What it means	Typical use
sent	Message accepted by WhatsApp servers, in transit	Confirm the send succeeded
delivered	Reached the recipient's device	Update your UI / delivery metrics
read	Recipient opened the chat (if read receipts on)	Trigger follow-ups, mark as seen
failed	Could not be delivered; inspect the errors array	Retry logic, alerting, opt-out cleanup
deleted	Message was deleted (conditional — see note)	Reconcile your local record

'deleted' is conditional, not a lifecycle step

Unlike sent, delivered, read and failed, the deleted status is not part of the normal send progression. It only appears when a message is removed, so do not model it as a guaranteed state your code will always observe. Treat it as an optional reconciliation signal — handle it if it arrives, but never wait on it or assume every message will pass through it.

One 2025 change to budget for: as of July 1, 2025, WhatsApp moved from conversation-based to per-message pricing, and status receipts now include a pricing_type sub-field. If you bill clients or track spend off webhook data, read pricing from the status payload rather than assuming the older conversation model. Enum values and the exact pricing fields do shift, and pricing_type is not guaranteed stable across every event shape — verify the current shape against Meta's live status reference (https://developers.facebook.com/documentation/business-messaging/whatsapp/webhooks/reference/messages/status/) before you ship billing logic, since this is the highest-stakes claim to get wrong.

Step 3: validating X-Hub-Signature-256 (do not skip this)

Your Callback URL is public, so anyone who learns it can POST fake events. The defense is signature validation. Meta signs the raw request body with HMAC-SHA256 keyed by your App Secret (not the Verify Token) and sends the result in the X-Hub-Signature-256 header, prefixed with sha256=. There is a legacy X-Hub-Signature header using SHA-1 — ignore it and validate the SHA-256 version.

Sign the raw bytes, not the parsed object

You must compute the HMAC over the exact raw body Meta sent, before JSON parsing. If you parse the JSON and then re-serialize it to hash, whitespace, key ordering and Unicode escaping change, the hash will not match, and every request will look forged. In Express, capture the raw buffer with the json verify hook, or mount express.raw for the webhook route specifically.

JAVASCRIPT

const express = require("express");
const crypto = require("crypto");
const app = express();

// Capture the raw body so we can verify the signature over exact bytes.
// Mount this BEFORE any route handlers, so req.rawBody and req.body
// are populated by the time the POST /webhook handler runs.
app.use(express.json({
  verify: (req, _res, buf) => { req.rawBody = buf; }
}));

function isValidSignature(req) {
  const header = req.get("X-Hub-Signature-256") || "";
  const expected = "sha256=" + crypto
    .createHmac("sha256", process.env.APP_SECRET)
    .update(req.rawBody)        // raw Buffer, not JSON.stringify(req.body)
    .digest("hex");

  const a = Buffer.from(header);
  const b = Buffer.from(expected);
  // Lengths must match before timingSafeEqual, or it throws.
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

Middleware order matters here. The express.json() call above must be mounted before your POST /webhook route so that, by the time the handler runs, the verify hook has already populated req.rawBody (and req.body is parsed). If you register the route first, or mount a second body parser ahead of this one, req.rawBody will be undefined and every signature check will fail. Apply this parser only to the webhook path if other routes need different parsing.

Compare with crypto.timingSafeEqual, never with === or ==. A plain string comparison short-circuits on the first differing character, leaking timing information an attacker can use to forge a valid signature byte by byte. timingSafeEqual runs in constant time and closes that hole. Reject any request whose signature does not match before you trust a single field in the body.

Step 4: retries, timeouts and idempotency

WhatsApp webhook delivery is at-least-once. Duplicates are not a rare edge case — they are normal, especially under load or when your endpoint is briefly slow. Your handler must be idempotent: processing the same event twice must not double-send a reply, double-charge a customer, or create duplicate database rows.

The response budget is tight. Meta expects you to acknowledge fast — the commonly cited timeout is roughly 5 seconds (some BSPs document up to 10), so design for the lower bound rather than the looser one to avoid tripping needless retries. The pattern is: validate the signature, return HTTP 200 immediately, and do the real work asynchronously — push to a queue, then process. If you return a non-200 status or time out, Meta retries with exponential backoff for up to roughly seven days, then drops the event permanently. There is no dead-letter queue and no manual replay from Meta, so a handler that throws on a poison message can quietly lose data.

If you sit behind a BSP, the retry window may be shorter

The ~7-day backoff-then-drop behavior is Meta's Cloud API default. If you receive events through a Business Solution Provider or proxy layer rather than directly from Meta, the effective retry window can be shorter than seven days (some providers have historically cited windows as short as ~36 hours). Confirm the retry and drop policy with your specific BSP, and do not assume you have a full week of buffer.

JAVASCRIPT

// POST /webhook — validate, dedupe, ack fast, process async
app.post("/webhook", async (req, res) => {
  if (!isValidSignature(req)) return res.sendStatus(401);

  // Acknowledge first so Meta does not retry while we work.
  res.sendStatus(200);

  for (const entry of req.body.entry ?? []) {
    for (const change of entry.changes ?? []) {
      const value = change.value ?? {};

      for (const msg of value.messages ?? []) {
        // Idempotency: SET with NX returns null if the id was already seen.
        const fresh = await redis.set(`wa:msg:${msg.id}`, "1",
          { NX: true, EX: 86400 });
        if (!fresh) continue;            // duplicate — skip
        await queue.add("inbound", { value, msg });
      }

      for (const st of value.statuses ?? []) {
        await queue.add("status", { value, st });
      }
    }
  }
});

Deduplicate on the message id: messages[].id for inbound and statuses[].id for statuses. A Redis SETNX (SET with NX) and a short TTL is the standard trick — the first time you see an id you claim it and process; if the key already exists, you have seen this event and skip it. Keep the TTL longer than Meta's retry window for a given burst (a day is a safe default) so late retries are still caught.

The silent 'shadow delivery' gotcha

A common 2025 problem: your endpoint verifies fine, but no events ever arrive. The WABA-to-app subscription can silently fail to register in the newer dashboard UI. The fix is to POST to the Graph API endpoint /{WABA_ID}/subscribed_apps to create the subscription explicitly, then confirm it with a GET to the same endpoint. If verification passed but you see zero POSTs, check this before debugging your code.

Step 5: testing locally with ngrok

Meta only delivers to a public HTTPS URL with a valid certificate, so localhost is unreachable during development. ngrok solves this by tunneling a public HTTPS endpoint to your local port. Run your Express server on, say, port 3000, start the tunnel, and register the resulting URL plus /webhook as your Callback URL — for example https://<name>.ngrok.app/webhook.

BASH

# Run your receiver locally
node server.js   # listening on :3000

# In another terminal, expose it over HTTPS
ngrok http 3000
# -> Forwarding  https://<name>.ngrok.app -> http://localhost:3000
# Use https://<name>.ngrok.app/webhook as the Callback URL

One practical limitation: because Meta validates the domain and certificate, ngrok's free, random ephemeral domains are unreliable for the WhatsApp integration. In practice you want a reserved domain on a paid (pay-as-you-go) ngrok plan so the URL is stable across restarts and passes Meta's checks. A big upside of ngrok is its request inspector, which records every webhook delivery and lets you replay it — invaluable for iterating on your handler without re-triggering real WhatsApp messages each time.

Staying compliant once messages flow

Receiving webhooks is half the story; replying responsibly is the other half. The Cloud API enforces real rules and ignoring them hurts your quality rating and can get your number restricted. The essentials: collect explicit user opt-in before messaging, and honor opt-out (a 'Reply STOP' handler is the minimum). You can reply freely with regular messages only inside the 24-hour customer service window that opens when a user messages you; outside that window, business-initiated messages must use pre-approved template messages. Respect your messaging tier limits and watch your quality rating, since both throttle how much you can send.

If your goal is simply to know whether a number is on WhatsApp, or to fetch a public profile picture, display name, about text, or business flag, you do not need a full webhook pipeline or template approvals at all — a read-only lookup is simpler and carries no sending risk.

Frequently asked questions

Need to verify numbers, not run a webhook pipeline?

If you just need to know whether a number is on WhatsApp and read its public profile picture, display name, about text, and business flag, our hosted API returns it in one HTTP call — read-only, no Callback URL, no template approvals, no ban risk.

Explore the WhatsApp Profile API

Sources & further reading

More from the blog

Written by

Eduardo Airaudo

Developer and founder of the WhatsApp Profile API. Building WhatsApp tooling and APIs since 2022.

Handling WhatsApp Webhooks: A Developer Guide

What WhatsApp webhooks are (and which API they belong to)

Step 1: the verification handshake (hub.challenge)

Step 2: understanding the POST payload structure

Status receipts: sent, delivered, read, failed

Step 3: validating X-Hub-Signature-256 (do not skip this)

Step 4: retries, timeouts and idempotency

Step 5: testing locally with ngrok

Staying compliant once messages flow

Frequently asked questions

Sources & further reading

Related

More from the blog

What Our Users Say

Good