Free tool
Make sense of WhatsApp webhook payloads in seconds
Paste any WhatsApp Cloud API webhook body to pretty-print it, identify the event type and decode the fields that matter — wamid, status, sender and errors — right in your browser.
Paste a webhook payload
Grab the request body from your server logs or tunnel inspector, or load a sample to see how the formatter reads it.
Everything runs in your browser — payloads are never uploaded or stored anywhere.
Formatted payload
How it works
Three steps, no signup
Paste the payload
Copy the raw request body from your server logs or tunnel inspector and drop it in, or load an inbound-message or status-update sample to explore the structure.
Read the annotated view
The formatter pretty-prints the JSON with syntax colouring, labels the event type, and lists only the important paths actually present in your payload with plain-English explanations.
Copy and fix
Copy the formatted JSON for a ticket or test fixture, check the wamid and status fields your handler should key on, and ship the fix with confidence.
Good to know
Three webhook habits that prevent 2 a.m. debugging
The first habit is answering fast. Meta expects your endpoint to return an HTTP 200 within a few seconds of receiving an event; if it does not, the platform retries — and keeps retrying with the same payload. Handlers that parse, write to the database and call downstream services before responding are the classic cause of duplicate messages appearing in an inbox. The robust pattern is boring and effective: validate the request, drop the raw body onto a queue, return 200 immediately, and do the real work in a background worker. Your processing time then has no bearing on whether Meta considers the delivery successful.
The second habit is treating status updates as a state machine, not a sequence. Under load, the sent, delivered and read receipts for a single message can arrive out of order — a read before the deliveredit logically follows is common. Code that assumes chronological arrival will happily downgrade a message from read back to delivered. Instead, key every update on the message's wamid — the same ID the send API returned — and only move state forward: sent → delivered → read, with failed as a terminal branch that carries an errors array explaining what went wrong. Deduplicate on wamid too, since retries mean you will eventually see the same event twice.
The third habit is verifying signatures in production. Every webhook Meta sends includes an X-Hub-Signature-256 header: an HMAC-SHA256 of the raw request body computed with your app secret. Compute the same HMAC over the exact bytes you received — before any JSON parsing or re-serialisation — and compare it to the header with a constant-time comparison. Skip this and anyone who discovers your endpoint URL can inject fabricated messages and statuses into your system. It is a few lines of code and the single most important security control a webhook consumer has.
If you build on InfiQ, the same knowledge transfers directly: InfiQ forwards webhook deliveries in the familiar entry/changes/value shape, signed with your X-INFIQ-API-KEY so you can verify authenticity the same way. The developer documentation covers endpoint setup, signature verification and retry behaviour in detail.
FAQ
Frequently asked questions
What is the structure of a WhatsApp Cloud API webhook payload?
Every event arrives as a JSON envelope: object at the top, then an entry array where entry[0].id is your WhatsApp Business Account ID, then changes, and finally the value object that carries the actual event. Inbound customer messages appear under value.messages, while delivery receipts for messages you sent appear under value.statuses. The metadata block inside value identifies which of your business numbers the event belongs to.
What is a wamid and why does it matter?
A wamid is the globally unique ID WhatsApp assigns to every message — the API returns one when you send, and the same ID comes back in each status webhook for that message. Use it to deduplicate events and to key delivery state, because statuses can arrive out of order and timestamps alone are not reliable for ordering.
Why am I receiving the same webhook event more than once?
Meta retries delivery whenever your endpoint fails to return an HTTP 200 quickly — slow handlers, timeouts and 5xx responses all trigger retries with the same payload. Return 200 within a few seconds and queue the real processing for a background worker. On your side, make handling idempotent by deduplicating on the message or status wamid.
What does a failed status webhook contain?
When value.statuses[0].status is "failed", the same status object carries an errors array with a numeric code, a title and often a details message explaining the cause — for example the 24-hour customer service window having closed or the recipient number being unable to receive the message. Logging the full errors array is the fastest way to diagnose delivery problems.
Is it safe to paste real webhook payloads into this tool?
Yes. The formatter parses and annotates everything locally in your browser — no payload is uploaded, logged or stored anywhere. That said, treat production payloads as customer data: they contain phone numbers and message content, so avoid sharing raw dumps in tickets or chat without redacting them.
Still have questions?
Book a demoMore free tools
Keep your stack sharp
JSON Template Validator
Paste template JSON and catch structural errors before Meta review does.
Open toolTemplate Variable Checker
Lint {{n}} variables — gaps, duplicates and edge-position mistakes.
Open toolPhone Number Formatter
Convert phone numbers to E.164 — single numbers or whole lists.
Open toolMedia Size Checker
Check images and files against WhatsApp media limits — in your browser.
Open toolStop reading raw webhook dumps by hand
InfiQ's developer API delivers clean, signed webhooks with the same Cloud API shape, plus a dashboard that shows delivery state per message. 7-day free trial, no card required.
