我們即將停用內部部署 API。詳情請參閱內部部署 API 停用文件,並從中了解如何轉用新一代雲端 API。
This document shows you how to make WhatsApp Business API requests and what the returned responses might look like.
To use the WhatsApp Business API, you must authenticate yourself. Only users with valid authentication tokens can access the service.
For your initial login, use your username and password for basic authentication. For all other secure interactions, you must use the bearer token that is returned after a successful login.
The tokens are sent in the authorization header of the HTTP request for many of the WhatsApp Business API calls. In particular, notice in the following example that the type of authorization that is used with this token is Bearer
.
HTTP-METHOD /secured-path Authorization: Bearer your-auth-token
For all secured paths, we validate the token. During validation, if a token is found to be expired, that token is removed from the system. Upon successful validation, the request is allowed to proceed. Requests made with an invalid token receive a 401 Unauthorized
error code.
You can use your token for authentication until the token expires. A token can expire for these reasons:
expires_after
parameter in the response provides the expiration date for the token. Log in again to generate a new token.Authentication tokens expire after 7 days, so you will need to log in weekly to update the Bearer
token.
Many client software apps (e.g., Postman) take the username:password
parameter and build the authentication header automatically. If you need to build it yourself, here are the basic steps:
username:password
string.The base64 encoding for the default username and password string admin:secret
results in YWRtaW46c2VjcmV0
, so the admin credentials will be Authorization: Basic YWRtaW46c2VjcmV0
.
health
, metrics
, and stats
nodes from an orchestrator, Bearer tokens are not the best option for ongoing checks as they expire every 7 days. To mediate this, you can use an API key, which can be set using the WA_API_KEY
environment variable in the waweb
environment section in the .yml
file of your installation setup.
services: ... waweb: ... environment: ... WA_API_KEY: your-api-key-tokenThe API key you set must have a minimum of 12 characters and a maximum of 128 characters. The Webapp must be restarted whenever you change the API key.
You can use the WhatsApp-provided Postman Collection or cURL API calls to send requests.
A valid HTTP request includes the following components:
POST
, GET
, DELETE
, PATCH
and PUT
.Content-Type
in the header (e.g.,“Content-Type: application/json”
). This uses UTF-8 character encoding, and charset=utf-8
is the default for application/json
.This cURL API request example of the WhatsApp Business API format uses the contacts
node:
curl -X POST \ https://your-webapp-hostname:your-webapp-port/v1/contacts \ -H 'Authorization: Bearer your-auth-token' \ -H 'Content-Type: application/json' \ -d '{ "blocking": "wait", "contacts": [ "6315551000", "6315551002", "631-555-1005" ] }'
your-webapp-hostname
is the hostname, FQDN or IP address, where the Webapp container or the load balancer runs. your-webapp-port
is optional and required only if either the load balancer listens on or if the Webapp container is mapped to a non-standard HTTPS port. Note: If using Docker to run your WhatsApp Business API client, you can run the docker ps
command to find the port. /v1/contacts
is the endpoint to send the data request to your-auth-token
is obtained after you log in using the /v1/users/login
endpoint. See the Login and Authentication documentation for more information.-d @filepath`
.A WhatsApp Business API response has the following components:
In this example, the payload is contacts
because we sent a request to the contacts
endpoint in the above request example.
Note: Normally in a successful response, errors
would not be present; they are included here purely as an example.
200 OK { "contacts": [ { "input": "1-631-555-1002", "status": "valid", "wa_id": "16315551002" }, { "input": "6315551003", "status": "valid", "wa_id": "16315551003" } ], "meta": { "version": "whatsapp-business-api-client-version", "api_status": "deprecated" | "experimental" | "stable" } "errors": [{ "code": error-code, "title": "error-code-title", "details": "optional-detailed-error-message" }] }
Capacity rate limiting is imposed on each available API endpoint and will return the appropriate HTTPS error codes (e.g., 429
, 503
, etc.) depending on the state of the system.
Two forms of capacity rate limiting are currently supported:
429
error code.v2.25.3
, the request rate limit for the messages
endpoint is 50 requests per second with bursts allowed up to 150 requests per second. v2.25.3
and all other endpoints, the request rate limit is 20 requests per second with bursts allowed up to 60 requests per second.503
error.When you hit either of these capacity rate limiting scenarios, you should halt any further requests and slow the pace of your API requests. If you start seeing many capacity rate limit errors, it would be advisable to build a queue on your end to throttle the requests.
If your expected average send-rates are significantly higher and queuing is not an effective strategy, please look into our High Availability and Scaling options.