Skip to content
Meta Business PartnerQuick answer inside

How do WhatsApp webhooks work?

A webhook is a URL on your server that WhatsApp calls the instant something happens — a customer replies, a message is delivered or read, a template gets approved, or a phone number's quality rating changes. Instead of your system repeatedly polling Meta's Cloud API to ask "anything new?", WhatsApp pushes a signed JSON payload to your endpoint the moment the event occurs. That real-time push is what makes automated replies, chatbots, CRM sync, and delivery dashboards possible. This page explains exactly what events you receive, how the handshake and payloads work, and what an Indian business needs to get right when wiring webhooks to the WhatsApp Business API.

HTTPS POST callbacks (port 443, valid TLS)
Protocol
messages (inbound + delivery statuses)
Main event field
X-Hub-Signature-256 HMAC on every request
Security
HTTP 200 within seconds, then process async
Required response
Per delivered message by category (since 1 Jul 2025)
Billing model
You keep your WABA and BSUID
Account ownership

Quick answer

WhatsApp webhooks are POST callbacks Meta sends to your HTTPS endpoint in real time whenever an inbound message arrives or a status changes. You verify the endpoint once, subscribe to the fields you care about, validate each payload's X-Hub-Signature, then acknowledge with HTTP 200 and process asynchronously.

The webhook lifecycle: verify, subscribe, receive

Setting up a WhatsApp webhook is a three-step handshake. First, Meta verifies you own the endpoint: when you register your callback URL in the app dashboard, Meta sends a GET request carrying a hub.challenge string and the verify token you configured. Your server must echo the challenge back and confirm the token matches, which proves the URL is live and yours. Second, you subscribe your WhatsApp Business Account to specific webhook fields — you rarely want every event, so you pick the ones your use case needs. Third, from that point on Meta sends HTTPS POST requests to your URL every time a subscribed event fires. Your job is simply to respond quickly with an HTTP 200, then do the real processing off the request thread.

  • GET verification: echo hub.challenge and match your verify token
  • Subscribe the WABA to fields like messages, message_template_status_update, account_update
  • POST delivery: Meta sends JSON events to your HTTPS endpoint in real time
  • Endpoint must use a valid TLS certificate on port 443 — no self-signed certs

What events you actually receive

Nearly everything useful arrives under the single messages field, but the payload varies by what happened. Inbound customer messages come through as message objects (text, image, document, audio, location, interactive button and list replies, and more), each stamped with the sender's wa_id and a timestamp. Outbound message lifecycle updates arrive as statuses objects that progress through sent, delivered, read, and failed — this is how you build accurate delivery dashboards and trigger retries. Beyond messaging, account-level fields tell you when a template is approved or rejected, when your messaging limit tier changes, when your phone number's quality rating shifts to yellow or red, or when account review status updates. Subscribe deliberately: fewer fields means cleaner payloads and less noise to filter.

  • Inbound messages: text, media, location, contacts, and interactive replies
  • Statuses: sent, delivered, read, failed — plus pricing category metadata
  • message_template_status_update: template approved, rejected, or paused
  • phone_number_quality_update and account_update for health and limit changes

Reading a status payload — and what the pricing fields mean

Each status event includes a pricing block, and this is where accuracy matters. Since Meta retired per-conversation billing on 1 July 2025, WhatsApp charges per delivered message by category — marketing, utility, or authentication. Your webhook's status payload surfaces that category so you can attribute cost to the right message type in your own reporting, rather than guessing. The 24-hour customer service window still exists, but it is now a free service window that lets you reply to a user without a template — it is no longer a billing unit. Treating those status fields correctly means your internal analytics match your actual invoice: count delivered messages, group by category, and you have a live cost picture. InfiQ's platform reconciles these events for you so your dashboard reflects Meta's live rate card without you writing that logic from scratch.

Securing and scaling your endpoint

Because a webhook URL is publicly reachable, you must prove each request genuinely came from Meta. Every POST carries an X-Hub-Signature-256 header — an HMAC-SHA256 of the raw request body computed with your app secret. Recompute it on your side and reject any request whose signature doesn't match, which blocks spoofed or replayed payloads. Two more practices keep production stable: acknowledge fast and process later, and handle duplicates. Meta expects a 200 within seconds, so push the payload onto a queue and return immediately rather than doing database writes or bot logic inside the request. Meta also retries on non-200 responses and can occasionally deliver the same event twice, so make your handler idempotent — key off the message or status ID so a repeat delivery is a no-op.

  • Validate X-Hub-Signature-256 against your app secret on every request
  • Return HTTP 200 within seconds; queue the payload for async processing
  • Deduplicate on message/status IDs to stay idempotent under retries
  • Log raw payloads so you can replay events during debugging

How InfiQ handles webhooks for you

Wiring, verifying, signing, deduplicating, and scaling a webhook consumer is real engineering work — and a single missed 200 can cause Meta to back off delivery. InfiQ, an official Meta Business Partner, manages the ingestion layer so your team consumes clean, normalised events instead of raw Cloud API plumbing. Inbound messages route into shared inboxes and bot flows, delivery statuses populate live analytics, and template state changes surface automatically. Critically, you keep full ownership of your WhatsApp Business Account and BSUID, so you're never locked in — and you can still connect your own systems via forwarded webhooks or APIs when you want custom automation. You get the real-time power of webhooks with transparent ₹ pricing, without maintaining the infrastructure yourself.

Do this with InfiQ

Talk to InfiQ

Get a straight answer for your setup

Tell us what you’re trying to do — a WhatsApp specialist replies within one working day.

Step 1 of 2
WhatsApp

Protected by invisible spam checks · replies within 1 working day

Frequently asked questions

Do I need to write a webhook consumer to use the WhatsApp Business API?+
Not necessarily. If you build directly on Meta's Cloud API, yes — you must host and secure your own webhook endpoint. If you use a platform like InfiQ, the ingestion, verification, and signature validation are handled for you, and you simply consume normalised events or forward them to your own systems when you want custom logic.
What's the difference between webhooks and polling?+
Polling means your server repeatedly asks Meta whether anything new has happened, which wastes calls and adds delay. Webhooks flip that around: Meta pushes each event to you the instant it occurs. Webhooks are faster, cheaper, and the standard way to receive inbound messages and status updates on WhatsApp.
How do I verify a webhook request really came from WhatsApp?+
Every POST includes an X-Hub-Signature-256 header containing an HMAC-SHA256 hash of the raw body, computed with your app secret. Recompute the hash on your side and compare — if it doesn't match, reject the request. This prevents spoofed or replayed payloads from reaching your processing logic.
What events can I subscribe to?+
The main one is messages, which covers both inbound customer messages and outbound delivery statuses (sent, delivered, read, failed). You can also subscribe to template status updates, phone number quality changes, account updates, and messaging limit tier changes. Subscribe only to the fields your use case needs to keep payloads clean.
Do webhook status payloads still show conversation pricing?+
No. Since Meta moved off per-conversation billing on 1 July 2025, WhatsApp charges per delivered message by category — marketing, utility, or authentication. Status payloads include a pricing block showing the category, which you use to attribute cost accurately. The 24-hour window is now a free service window, not a billing unit.
What happens if my server doesn't respond with HTTP 200?+
Meta treats a non-200 response as a failed delivery and retries the event with backoff. Repeated failures can slow or pause delivery to your endpoint. Best practice is to acknowledge with a 200 within seconds and process the payload asynchronously via a queue, and to make your handler idempotent so retries don't duplicate work.
Can I forward WhatsApp webhook events to my own CRM through InfiQ?+
Yes. Because you retain full ownership of your WhatsApp Business Account and BSUID, InfiQ can route normalised events into your CRM or custom systems while still handling the heavy lifting of ingestion, signature validation, and retries. That gives you real-time CRM sync and custom bots without maintaining the raw endpoint yourself.
Does the webhook endpoint need HTTPS?+
Yes. WhatsApp only delivers to HTTPS endpoints on port 443 with a valid, publicly trusted TLS certificate. Self-signed certificates are rejected. This ensures every payload is encrypted in transit and the callback URL is genuinely reachable and yours.

Skip the webhook plumbing

Let InfiQ handle verification, signatures, retries, and real-time event delivery so your team ships automations instead of maintaining infrastructure — talk to us to get set up correctly from day one.