Flows Encryption

This guide specifies how to set and get the business public key for the WhatsApp Flows user experience. Businesses will need to generate a 2048-bit RSA key pair and share a business public key to establish an encrypted GraphQL-powered data exchange channel between them and the WhatsApp consumer client.

Prerequisites

The phone number must be successfully registered, and the business must have generated a 2048-bit RSA Key as described below.

Generating a 2048-bit RSA Key Pair

Generate a public and private RSA key pair by typing in the following command:

openssl genrsa -des3 -out private.pem 2048

This generates 2048-bit RSA key pair encrypted with a password you provided and is written to a file.

Next, you need to export the RSA Public Key to a file:

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

You can then use it, for example, on your web server to encrypt content such that it can only be read with the private key.

Reusing 2048-bit RSA Key Pairs Option

You could also re-use an existing private/public key pair by extracting a public key from existing certificate:

openssl x509 -pubkey -noout -in private.pem  > public.pem   

Set Business Public Key

To set a business public key using Graph API, make a POST request to /PHONE_NUMBER_ID/whatsapp_business_encryption. In your call, include the 2048-bit RSA key you generated. If you have multiple phone numbers linked to a WABA, this API must be called to sign the business public key for each phone number.

In Postman, when inputting the business public key as a parameter in the Body, select x-www-form-urlencoded.

EndpointAuthentication

/PHONE_NUMBER_ID/whatsapp_business_encryption

Authenticate yourself with a system user access token and you must have the whatsapp_business_messaging permission.


If you are requesting the code on behalf of another business, the access token needs to have Advanced Access to the whatsapp_business_messaging permission.

Parameters

Name Description

business_public_key

string

Required.

2048-bit RSA business public key generated.

Example

Sample request:

curl -X POST \
  'https://graph.facebook.com/v21.0/PHONE_NUMBER_ID/whatsapp_business_encryption' \
  -H 'Authorization: Bearer ACCESS_TOKEN' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'business_public_key=BUSINESS_PUBLIC_KEY'

For example:

curl -X POST \
  'https://graph.facebook.com/v21.0/PHONE_NUMBER_ID/whatsapp_business_encryption' \
  -H 'Authorization: Bearer ACCESS_TOKEN' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'business_public_key=-----BEGIN PUBLIC KEY-----
AAA
BBB
CCC
DDD
EEE
FFF
GGG
-----END PUBLIC KEY-----'

A successful request returns HTTP status code 200 and the payload:

{
  "success": true
}

Please see Error and Status Messages if you encounter any errors.

Get Business Public Key

The phone number must be successfully registered, and the business must have generated a 2048-bit RSA key.

To get a business public key using Graph API, make a GET request to /PHONE_NUMBER_ID/whatsapp_business_encryption.

EndpointAuthentication

/PHONE_NUMBER_ID/whatsapp_business_encryption

Authenticate yourself with a system user access token and you must have the whatsapp_business_messaging permission.


If you are requesting the code on behalf of another business, the access token needs to have Advanced Access to the whatsapp_business_messaging permission.

Parameters

Name Description

business_public_key

string

Stored 2048-bit RSA business public key.

business_public_key_signature_status

string

Status of stored 2048-bit RSA business public key.

Example

Sample request:

curl -X GET \
  'https://graph.facebook.com/v21.0/PHONE_NUMBER_ID/whatsapp_business_encryption' \
  -H 'Authorization: Bearer ACCESS_TOKEN' 

A successful response looks like this:

{
  "business_public_key": "<2048_bit_RSA_key>"
  "business_public_key_signature_status": VALID | MISMATCH
}

Please see Error and Status Messages if you encounter any errors.