Logo

Get Click Media

AI Communication Platform

Trusted by 10,000+ businesses

WhatsApp

WhatsApp Webhooks — Setup, Events, and Integration Guide

WhatsApp webhooks are HTTP callbacks Meta sends to your server in real time for inbound messages, delivery receipts, read receipts, and button taps. Get Click Media provides signature verification code samples and integration support for Node.js, Python, PHP, and Java.

Get Click Media7 min read
WhatsApp Webhooks — Setup, Events, and Integration Guide

WhatsApp webhooks are HTTP callbacks that Meta sends to your server in real time when events occur in your WhatsApp Business API account — including inbound messages, delivery receipts, read receipts, button taps, and message status updates. To use webhooks, you register an HTTPS endpoint URL in your Meta App settings. Get Click Media provides webhook documentation, signature verification code samples, and integration support for Node.js, Python, PHP, and Java.

Webhooks are the inbound channel of WhatsApp Business API. The API has two directions: outbound (you call the REST API to send messages) and inbound (Meta calls your webhook when something happens). Without webhooks, your application is blind to what customers send you and whether your messages are being delivered and read. This guide is written and maintained by Get Click Media's integration engineering team, drawing on webhook deployments across hundreds of live WhatsApp Business API accounts.

What Events WhatsApp Webhooks Deliver

Event typeWhen it firesJSON fieldUse case
messageCustomer sends a message to your businesstype: text/image/button/interactiveChatbot response, CRM update, agent routing
message_status — sentYour outbound message was sent to Metastatus: sentLogging, audit trail
message_status — deliveredMessage reached customer's devicestatus: deliveredDelivery confirmation, SLA tracking
message_status — readCustomer opened the messagestatus: readEngagement tracking, follow-up timing
message_status — failedDelivery failed permanentlystatus: failed + error objectAlert team, retry logic, invalid number cleanup
button_replyCustomer tapped a quick-reply buttontype: interactive, button_replyChatbot routing, CRM field update
list_replyCustomer selected from a list menutype: interactive, list_replyService routing, product selection
reactionCustomer reacted to a message with emojitype: reactionSentiment tracking
unsupportedMessage type not supported by API versiontype: unsupportedError handling — respond with fallback

Webhook Setup — Step by Step

1. Build Your Webhook Endpoint

Your endpoint must accept POST requests, verify the inbound signature, and acknowledge immediately — before any business logic runs.

const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.json());

const GCM_WEBHOOK_SECRET = process.env.GCM_WEBHOOK_SECRET;

// Verify webhook signature on every inbound event
function verifySignature(body, sigHeader) {
  const expected = crypto
    .createHmac('sha256', GCM_WEBHOOK_SECRET)
    .update(JSON.stringify(body))
    .digest('hex');
  return expected === sigHeader;
}

app.post('/webhook/whatsapp', async (req, res) => {
  const sig = req.headers['x-gcm-signature'];
  if (!verifySignature(req.body, sig)) {
    return res.status(401).send('Unauthorized');
  }

  // Acknowledge IMMEDIATELY — process async
  res.status(200).send('OK');

  const { type, from, message, status, timestamp } = req.body;
  switch (type) {
    case 'message':
      await handleInbound(from, message, timestamp);
      break;
    case 'status':
      await updateStatus(status.message_id, status.status);
      break;
    case 'button_reply':
      await handleButton(from, message.button_reply.id);
      break;
  }
});

app.listen(3000, () => console.log('Webhook listening on :3000'));

2. Verify Your Endpoint With Meta

Before Meta will deliver events, it sends a one-time GET request to confirm you control the endpoint. Your handler must echo back the hub.challenge value.

// Meta sends a GET request to verify your webhook endpoint
// You must return the hub.challenge value
app.get('/webhook/whatsapp', (req, res) => {
  const mode = req.query['hub.mode'];
  const token = req.query['hub.verify_token'];
  const challenge = req.query['hub.challenge'];

  if (mode === 'subscribe' && token === process.env.WEBHOOK_VERIFY_TOKEN) {
    console.log('Webhook verified by Meta');
    return res.status(200).send(challenge); // Must return as plain text
  }
  res.status(403).send('Forbidden');
});

// Register this URL in Meta App Dashboard:
// Webhooks > Edit > Callback URL: https://yourapp.com/webhook/whatsapp
// Verify Token: same value as WEBHOOK_VERIFY_TOKEN env var

Inbound Message Payload — Structure Reference

{
  "type": "message",
  "from": "+919876543210",
  "timestamp": "1720000000",
  "message": {
    "id": "wamid.xxx",
    "type": "text",
    "text": { "body": "What is the status of my order?" }
  }
}
{
  "type": "button_reply",
  "from": "+919876543210",
  "message": {
    "type": "interactive",
    "interactive": {
      "type": "button_reply",
      "button_reply": { "id": "btn_track_order", "title": "Track Order" }
    }
  }
}

Webhook Best Practices

PracticeImplementationWhy it matters
Acknowledge immediatelyReturn HTTP 200 before processingMeta retries if no 200 within 5 seconds — causes duplicate events
Process asynchronouslyPush event to queue (Redis/SQS), process in backgroundPrevents timeout on complex processing logic
Verify signatureHMAC-SHA256 check on every requestRejects spoofed requests pretending to be from GCM
Idempotent processingCheck message_id before processingMeta may send duplicate events — idempotency prevents double-processing
Handle all event typesSwitch/case on type fieldUnknown types cause unhandled errors if not caught
Log all eventsStore raw payload with timestampEssential for debugging delivery issues and audit trails
Monitor endpoint uptimeExternal uptime monitor (Pingdom, UptimeRobot)Missed webhooks = missed customer messages
Retry failed processingDead letter queue for processing failuresBusiness-critical events must not be silently dropped

Common Webhook Issues and Fixes

IssueCauseFix
Webhook not receiving eventsURL not registered or HTTPS not validRegister URL in Meta App Dashboard. Ensure valid SSL cert (not self-signed).
Duplicate events receivedProcessing not idempotentStore processed message_ids. Skip if already processed.
Signature verification failingWrong secret or body serialisation issueEnsure secret matches exactly. Use the raw body buffer for HMAC — not parsed JSON.
Webhook timing outProcessing inside the webhook handlerReturn 200 immediately. Push to an async queue for processing.
Missing delivery receiptsQuality score issues or number restrictionsCheck WhatsApp Manager quality rating. Contact GCM if status shows restricted.

Frequently Asked Questions — WhatsApp Webhooks

What is a WhatsApp webhook? A WhatsApp webhook is an HTTPS endpoint on your server that Meta calls when events occur — customer messages, delivery receipts, read receipts, button taps. You register your URL in the Meta App Dashboard. Meta sends POST requests with event data as JSON payloads in real time.

Is a webhook required for WhatsApp Business API? Webhooks are required to receive inbound customer messages and delivery status events. Without a webhook, your application can only send messages — it cannot receive replies, track delivery, or respond to customer button taps. For a chatbot or two-way conversation flow, webhooks are mandatory.

What happens if my webhook goes down? Meta retries failed webhook deliveries with exponential backoff — up to 5 attempts over 24 hours. After that, undelivered events are dropped. For production deployments, use a queue between the webhook receiver and your processing logic so the webhook receiver always responds quickly with 200.

Can I test webhooks locally during development? Yes — use ngrok or Cloudflare Tunnel to expose your local server with a public HTTPS URL. Register this temporary URL in your Meta App Dashboard during development. Get Click Media's sandbox environment also fires test webhook events for integration testing.

Why do I need to verify the webhook signature? Signature verification (HMAC-SHA256) confirms that an inbound request genuinely came from Meta or Get Click Media's platform, not an attacker spoofing your endpoint. Without it, anyone who discovers your webhook URL could inject fake messages or fake delivery confirmations into your system.

Get Started

Once your webhook is live, connect it to the rest of your stack: see WhatsApp API documentation for the full endpoint reference, WhatsApp API integration for CRM and platform connectors, and WhatsApp API security for hardening your endpoint before go-live.

Get WhatsApp Business APIRead API Docs · Get API Access · Talk to Technical Team

whatsapp webhookswhatsapp api webhookwhatsapp webhook setupwhatsapp webhook node.jswhatsapp message received webhookwhatsapp delivery webhook

Frequently Asked Questions

A WhatsApp webhook is an HTTPS endpoint on your server that Meta calls when events occur — customer messages, delivery receipts, read receipts, button taps. You register your URL in the Meta App Dashboard. Meta sends POST requests with event data as JSON payloads in real time.

Webhooks are required to receive inbound customer messages and delivery status events. Without a webhook, your application can only send messages — it cannot receive replies, track delivery, or respond to customer button taps. For a chatbot or two-way conversation flow, webhooks are mandatory.

Meta retries failed webhook deliveries with exponential backoff — up to 5 attempts over 24 hours. After that, undelivered events are dropped. For production deployments, use a queue between the webhook receiver and your processing logic so the webhook receiver always responds quickly with 200.

Yes — use ngrok or Cloudflare Tunnel to expose your local server with a public HTTPS URL. Register this temporary URL in your Meta App Dashboard during development. Get Click Media's sandbox environment also fires test webhook events for integration testing.

Signature verification (HMAC-SHA256) confirms that an inbound request genuinely came from Meta or Get Click Media's platform, not an attacker spoofing your endpoint. Without it, anyone who discovers your webhook URL could inject fake messages or fake delivery confirmations into your system.

Related Articles

WhatsApp Business API Documentation — Complete Reference India 2026
WhatsApp

WhatsApp Business API Documentation — Complete Reference India 2026

WhatsApp Business API documentation covering REST API endpoints, webhook event schemas, Cloud API authentication, template management, and Catalog and Flows APIs. Code samples in Node.js, Python, PHP, and Java from an official Meta BSP.

6 min read
WhatsApp API Error Codes — Complete Reference and Troubleshooting Guide
WhatsApp

WhatsApp API Error Codes — Complete Reference and Troubleshooting Guide

Complete WhatsApp Business API error code reference — 400, 429, 130429, 131030, 131047, 131051, 132000, and more. What each code means, why it happens, and the exact fix, with Node.js retry-logic code samples.

7 min read
WhatsApp API Rate Limits — Complete Guide for Indian Developers
WhatsApp

WhatsApp API Rate Limits — Complete Guide for Indian Developers

WhatsApp Business API has per-second throughput limits and daily messaging tier limits that scale from 1,000 to unlimited conversations. Learn both systems, Meta's tier progression, quality score factors, and a proven warm-up schedule.

6 min read