WhatsApp credentials¶
Agoras needs the following information from WhatsApp Business API to be able to access its API:
Meta Graph API Access Token
WhatsApp Business Phone Number ID
Target Recipient Phone Number (E.164 format)
Business Account ID (optional)
For that, we’ll need to create a Meta Developer Account, set up a WhatsApp Business Account, and obtain the necessary credentials from Meta Business Manager.
Important: WhatsApp Business API requires business verification for production use. For development and testing, you can use test phone numbers and temporary access tokens. Make sure your WhatsApp Business Account has the necessary permissions for the actions you want to perform.
—
Meta Developer Account Setup¶
WhatsApp Business API is part of Meta’s platform, so you’ll need a Meta Developer Account (shared with Facebook and Instagram).
Go to Meta for Developers
Click “Get Started” or “My Apps” if you already have an account
Create a new app or select an existing app
Add the WhatsApp product to your app
Note: If you already have a Meta Developer Account for Facebook or Instagram, you can use the same account and add WhatsApp to an existing app.
Create a Meta App¶
In Meta for Developers, click “Create App”
Select “Business” as the app type
Fill in your app details: - App name - App contact email - Business account (if applicable)
Click “Create App”
Add WhatsApp Product¶
In your app dashboard, find “Add Product” or go to “Products”
Find “WhatsApp” and click “Set Up”
Follow the setup wizard to configure WhatsApp Business API
WhatsApp Business Account Setup¶
After adding WhatsApp to your app, you need to set up a WhatsApp Business Account.
In your app dashboard, go to “WhatsApp” > “Getting Started”
Click “Create Business Account” or link an existing WhatsApp Business Account
Complete the business account setup: - Business name - Business category - Business description - Contact information
Important: For production use, you’ll need to complete business verification. This process can take several days and requires business documentation.
Phone Number Registration¶
You need to register a phone number with your WhatsApp Business Account.
In your app dashboard, go to “WhatsApp” > “Phone Numbers”
Click “Add Phone Number”
Select your country and enter your phone number
Choose verification method (SMS or Voice call)
Enter the verification code you receive
Complete the phone number setup
Development Mode: For testing, you can use test phone numbers provided by Meta. These don’t require phone number verification but have limitations.
Get Phone Number ID¶
After registering your phone number:
Go to “WhatsApp” > “Phone Numbers” in your app dashboard
Click on your phone number
Find the “Phone number ID” (it’s a long numeric ID)
Copy this ID - you’ll need it for Agoras
Example: Phone number ID looks like: 123456789012345
Access Token Generation¶
WhatsApp Business API uses Meta Graph API access tokens. You can generate temporary tokens for development or permanent tokens for production.
Generate Temporary Access Token (Development)¶
In your app dashboard, go to “WhatsApp” > “API Setup”
Find the “Temporary access token” section
Click “Generate Token”
Copy the token - it expires in 24 hours
Note: Temporary tokens are for development and testing only. They have limited rate limits and expire quickly.
Generate Permanent Access Token (Production)¶
For production use, you need a permanent access token:
Go to “WhatsApp” > “API Setup” in your app dashboard
Scroll to “Permanent access token” section
Click “Generate Token”
Select the appropriate permissions/scopes: -
whatsapp_business_messaging-whatsapp_business_managementCopy the token - this token doesn’t expire (unless revoked)
Important: Store permanent tokens securely. They provide full access to your WhatsApp Business Account.
Token Permissions and Scopes¶
WhatsApp Business API requires the following permissions:
whatsapp_business_messaging: Send and receive messages
whatsapp_business_management: Manage business profile and settings
Make sure your access token has these permissions when generating it.
Token Management¶
Token Expiration: Temporary tokens expire in 24 hours. Permanent tokens don’t expire unless revoked.
Token Refresh: For temporary tokens, generate a new token before expiration. Permanent tokens don’t need refresh.
Token Revocation: You can revoke tokens in Meta Business Manager if compromised.
Security: Never share your access tokens publicly. Store them in environment variables or secure secret managers.
Business Account ID (Optional)¶
The Business Account ID is optional but may be required for some operations.
Find Business Account ID¶
Go to Meta Business Manager
Select your business account
Go to “Business Settings” > “Business Info”
Find the “Business ID” - this is your Business Account ID
Note: The Business Account ID is different from the Phone Number ID. You typically only need the Phone Number ID for basic messaging operations.
When It’s Required¶
Business profile management
Advanced analytics
Multi-phone number management
Some enterprise features
For basic message sending, the Business Account ID is usually not required.
Recipient Phone Number¶
WhatsApp Business API sends messages to individual recipients. You need to specify the recipient phone number in E.164 format.
E.164 Format Requirements¶
Phone numbers must be in E.164 international format:
Start with a + sign
Followed by country code (1-3 digits)
Followed by the phone number (without leading zeros)
Examples:
- US: +1234567890
- UK: +441234567890
- Mexico: +521234567890
Test Phone Numbers (Development)¶
For development and testing, you can use test phone numbers:
In your app dashboard, go to “WhatsApp” > “API Setup”
Find “To” field in the test section
Add test phone numbers (numbers you want to send test messages to)
These numbers must be verified in your Meta account
Note: Test phone numbers have limitations: - Can only send to verified test numbers - Limited rate limits - Messages are marked as test messages
Production Recipient Setup¶
For production:
Recipients must opt-in to receive messages from your business
You can only send to numbers that have initiated contact with you (for 24-hour window)
For messages outside the 24-hour window, you must use approved message templates
Recipients can opt-out at any time
Recipient Verification¶
Before sending messages to production recipients:
Ensure recipients have opted in to receive messages
Verify recipient phone numbers are in E.164 format
Test with a small group before sending to all recipients
Monitor delivery rates and recipient feedback
Rate Limiting and Compliance¶
WhatsApp Business API has rate limits to prevent abuse and ensure quality.
Free Tier Limits¶
1,000 messages per day (free tier)
Rate limits apply per recipient
Limits reset daily
Note: These limits are for unverified businesses. Business verification increases limits significantly.
Business Verification Benefits¶
After business verification:
Higher message limits (varies by business tier)
Access to advanced features
Better delivery rates
Priority support
Compliance Guidelines¶
WhatsApp Business Policy: Follow Meta’s WhatsApp Business Policy
Message Templates: Pre-approved templates required for notifications
Opt-in Requirements: Recipients must opt-in to receive messages
Data Privacy: Comply with GDPR and local data protection laws
Content Guidelines: Follow WhatsApp’s content and spam policies
Best Practices¶
Start with test phone numbers during development
Monitor rate limits and plan message sending accordingly
Use message templates for notifications
Respect recipient opt-outs immediately
Keep access tokens secure and rotate them periodically
Monitor delivery rates and adjust messaging strategy
Troubleshooting¶
Common Setup Issues¶
Issue: “Invalid access token” - Solution: Generate a new access token. Temporary tokens expire in 24 hours.
Issue: “Phone number not verified” - Solution: Complete phone number verification in Meta Business Manager.
Issue: “Invalid phone number ID” - Solution: Verify you’re using the correct Phone Number ID from your app dashboard.
Issue: “Recipient phone number invalid” - Solution: Ensure phone number is in E.164 format (starts with +, includes country code).
Token Expiration Handling¶
Temporary tokens: Generate new token before expiration (every 24 hours)
Permanent tokens: Should not expire unless revoked
Token refresh: Not supported for WhatsApp (unlike OAuth refresh tokens)
Error handling: Agoras will show clear error messages if token is invalid
Phone Number Verification Problems¶
SMS not received: Try voice call verification instead
Verification code expired: Request a new verification code
Wrong phone number: Ensure you’re using the correct number format
Already verified: Check if number is already linked to another account
Business Verification Delays¶
Processing time: Business verification can take 3-7 business days
Documentation: Ensure all required documents are submitted
Status check: Monitor verification status in Meta Business Manager
Support: Contact Meta support if verification is delayed beyond expected time
Test your setup¶
You can test if your WhatsApp Business API is properly configured:
Make sure you have your access token and phone number ID
First, authorize your WhatsApp credentials:
agoras whatsapp authorize \ --access-token "your_access_token_here" \ --phone-number-id "your_phone_number_id_here"
Then send a test message (credentials are now stored):
agoras whatsapp post \ --recipient "+1234567890" \ --text "Hello from Agoras!"
Check if the message appears in WhatsApp
CI/CD Setup (Unattended Execution)¶
For CI/CD environments where interactive authorization isn’t possible, you can skip the authorize step entirely and provide all required credentials via environment variables.
Run
agoras whatsapp authorizelocally first to store credentials (optional, for local development)Extract stored credentials using the tokens utility command (if you need to retrieve them):
# First, list tokens to find the identifier (phone_number_id) agoras utils tokens list --platform whatsapp # Then view all stored credentials agoras utils tokens show --platform whatsapp --identifier {identifier}
For CI/CD, set all required environment variables in your CI/CD pipeline:
export WHATSAPP_ACCESS_TOKEN="your_access_token_here" export WHATSAPP_PHONE_NUMBER_ID="your_phone_number_id_here" export WHATSAPP_BUSINESS_ACCOUNT_ID="your_business_account_id_here" # Optional export WHATSAPP_RECIPIENT="+1234567890" # Required for all messaging actions
Run Agoras actions directly without running
authorize. All credentials will be loaded from environment variables.
Note: For unattended execution, you must provide all required credentials (access token, phone number ID, and recipient) as shown in the Platform Arguments and Environment Variables Reference documentation. The recipient phone number must be provided with each messaging action as it varies per message.
Agoras parameters¶
WhatsApp credential |
Agoras parameter |
Required for |
|---|---|---|
Access Token |
–access-token |
authorize (required) post/video/etc (optional) |
Phone Number ID |
–phone-number-id |
authorize (required) post/video/etc (optional) |
Business Account ID |
–business-account-id |
authorize (optional) |
Recipient Number |
–recipient |
All messaging actions |
Important: Run agoras whatsapp authorize first to store your credentials securely. After authorization, you can use post, video, and template actions without providing access token and phone number ID each time.
Note: The recipient phone number must be provided with each message action as it varies per message. It is not stored during authorization.
Security Best Practices¶
Never commit tokens to version control: Use .gitignore for credential files
Use environment variables: Store credentials in environment variables, not in code
Rotate tokens periodically: Generate new tokens and revoke old ones
Use secrets managers: For production, use AWS Secrets Manager, HashiCorp Vault, etc.
Limit token permissions: Only grant necessary permissions
Monitor token usage: Regularly check for unauthorized access
Revoke compromised tokens: Immediately revoke any tokens that may be compromised
