How do WhatsApp webhooks work?
A webhook is a URL on your server that WhatsApp calls the instant something happens — a customer replies, a message is delivered or read, a template gets approved, or a phone number's quality rating changes. Instead of your system repeatedly polling Meta's Cloud API to ask "anything new?", WhatsApp pushes a signed JSON payload to your endpoint the moment the event occurs. That real-time push is what makes automated replies, chatbots, CRM sync, and delivery dashboards possible. This page explains exactly what events you receive, how the handshake and payloads work, and what an Indian business needs to get right when wiring webhooks to the WhatsApp Business API.
Quick answer
WhatsApp webhooks are POST callbacks Meta sends to your HTTPS endpoint in real time whenever an inbound message arrives or a status changes. You verify the endpoint once, subscribe to the fields you care about, validate each payload's X-Hub-Signature, then acknowledge with HTTP 200 and process asynchronously.The webhook lifecycle: verify, subscribe, receive
Setting up a WhatsApp webhook is a three-step handshake. First, Meta verifies you own the endpoint: when you register your callback URL in the app dashboard, Meta sends a GET request carrying a hub.challenge string and the verify token you configured. Your server must echo the challenge back and confirm the token matches, which proves the URL is live and yours. Second, you subscribe your WhatsApp Business Account to specific webhook fields — you rarely want every event, so you pick the ones your use case needs. Third, from that point on Meta sends HTTPS POST requests to your URL every time a subscribed event fires. Your job is simply to respond quickly with an HTTP 200, then do the real processing off the request thread.
- GET verification: echo hub.challenge and match your verify token
- Subscribe the WABA to fields like messages, message_template_status_update, account_update
- POST delivery: Meta sends JSON events to your HTTPS endpoint in real time
- Endpoint must use a valid TLS certificate on port 443 — no self-signed certs
What events you actually receive
Nearly everything useful arrives under the single messages field, but the payload varies by what happened. Inbound customer messages come through as message objects (text, image, document, audio, location, interactive button and list replies, and more), each stamped with the sender's wa_id and a timestamp. Outbound message lifecycle updates arrive as statuses objects that progress through sent, delivered, read, and failed — this is how you build accurate delivery dashboards and trigger retries. Beyond messaging, account-level fields tell you when a template is approved or rejected, when your messaging limit tier changes, when your phone number's quality rating shifts to yellow or red, or when account review status updates. Subscribe deliberately: fewer fields means cleaner payloads and less noise to filter.
- Inbound messages: text, media, location, contacts, and interactive replies
- Statuses: sent, delivered, read, failed — plus pricing category metadata
- message_template_status_update: template approved, rejected, or paused
- phone_number_quality_update and account_update for health and limit changes
Reading a status payload — and what the pricing fields mean
Each status event includes a pricing block, and this is where accuracy matters. Since Meta retired per-conversation billing on 1 July 2025, WhatsApp charges per delivered message by category — marketing, utility, or authentication. Your webhook's status payload surfaces that category so you can attribute cost to the right message type in your own reporting, rather than guessing. The 24-hour customer service window still exists, but it is now a free service window that lets you reply to a user without a template — it is no longer a billing unit. Treating those status fields correctly means your internal analytics match your actual invoice: count delivered messages, group by category, and you have a live cost picture. InfiQ's platform reconciles these events for you so your dashboard reflects Meta's live rate card without you writing that logic from scratch.
Securing and scaling your endpoint
Because a webhook URL is publicly reachable, you must prove each request genuinely came from Meta. Every POST carries an X-Hub-Signature-256 header — an HMAC-SHA256 of the raw request body computed with your app secret. Recompute it on your side and reject any request whose signature doesn't match, which blocks spoofed or replayed payloads. Two more practices keep production stable: acknowledge fast and process later, and handle duplicates. Meta expects a 200 within seconds, so push the payload onto a queue and return immediately rather than doing database writes or bot logic inside the request. Meta also retries on non-200 responses and can occasionally deliver the same event twice, so make your handler idempotent — key off the message or status ID so a repeat delivery is a no-op.
- Validate X-Hub-Signature-256 against your app secret on every request
- Return HTTP 200 within seconds; queue the payload for async processing
- Deduplicate on message/status IDs to stay idempotent under retries
- Log raw payloads so you can replay events during debugging
How InfiQ handles webhooks for you
Wiring, verifying, signing, deduplicating, and scaling a webhook consumer is real engineering work — and a single missed 200 can cause Meta to back off delivery. InfiQ, an official Meta Business Partner, manages the ingestion layer so your team consumes clean, normalised events instead of raw Cloud API plumbing. Inbound messages route into shared inboxes and bot flows, delivery statuses populate live analytics, and template state changes surface automatically. Critically, you keep full ownership of your WhatsApp Business Account and BSUID, so you're never locked in — and you can still connect your own systems via forwarded webhooks or APIs when you want custom automation. You get the real-time power of webhooks with transparent ₹ pricing, without maintaining the infrastructure yourself.
Frequently asked questions
Do I need to write a webhook consumer to use the WhatsApp Business API?+
What's the difference between webhooks and polling?+
How do I verify a webhook request really came from WhatsApp?+
What events can I subscribe to?+
Do webhook status payloads still show conversation pricing?+
What happens if my server doesn't respond with HTTP 200?+
Can I forward WhatsApp webhook events to my own CRM through InfiQ?+
Does the webhook endpoint need HTTPS?+
Skip the webhook plumbing
Let InfiQ handle verification, signatures, retries, and real-time event delivery so your team ships automations instead of maintaining infrastructure — talk to us to get set up correctly from day one.