WhatsApp Error 10: Permission Denied

WhatsApp error 10 means permission is not granted or has been removed — missing scopes, unaccepted terms, or (for Flows) a non-allowlisted number. How to fix it.

TL;DR: WhatsApp error 10 is an authorization error meaning permission for the requested action is missing or was removed. Meta's details string is "Permission is either not granted or has been removed." Causes include missing token scopes, eligibility/terms not met, and — for WhatsApp Flows with Endpoint — a phone number that isn't allowlisted for the business public key. Fix it by granting the right permissions and meeting eligibility.

What Error 10 Means

10 is an authorization error (HTTP 403). Meta's official details value is:

"Permission is either not granted or has been removed."

Meta's guidance adds two specifics: for WhatsApp Flows with Endpoint, the phone number used to set your business public key must be allowlisted; and you must meet the eligibility requirements for the API you're calling — if you're not eligible for the endpoint, you'll receive error 10.

Where You See It

Synchronous Graph API response (403 Forbidden). It is an access/authorization condition, not a per-message status webhook. It surfaces on whichever endpoint requires a permission your app doesn't (or no longer) holds.

Common Causes

  • The access token is missing whatsapp_business_management and/or whatsapp_business_messaging.
  • A permission was granted previously but later removed/revoked.
  • The business has not accepted required legal terms, or isn't eligible for the endpoint being called.
  • For Flows with Endpoint: the phone number used to set the business public key is not allowlisted.

How to Fix It

  1. Run the token through the Access Token Debugger and confirm both WhatsApp permissions are present.
  2. If missing, generate a new system-user token (Business settings → System users → Generate new token → select app → add whatsapp_business_management and whatsapp_business_messaging).
  3. Check the eligibility requirements for the specific API; complete any onboarding/terms acceptance required.
  4. For Flows with Endpoint, ensure the phone number used to set the business public key is allowlisted.
  5. Retry the request.

How to Prevent It

  • Use durable system-user tokens and monitor for 403s.
  • Re-audit asset permissions after portfolio or app changes (revocations are a common surprise).
  • Track which endpoints have eligibility gates and confirm onboarding before going live.

Related Errors

FAQ

Q: My token worked yesterday and now I get error 10 — why? A: A permission was likely removed/revoked, or an asset assignment changed. Re-check in the debugger and reassign scopes.

Q: Is error 10 about legal terms? A: It can be — not meeting eligibility/terms for an endpoint returns error 10. Confirm onboarding/terms acceptance.

Q: I get error 10 only on Flows — why? A: The phone number used to set your business public key must be allowlisted for Flows with Endpoint.

Q: How is error 10 different from 200? A: 200's base case is a missing token; error 10 is permission not granted/removed for the action.

How Dualhook Helps

This is a permissions code where Dualhook helps substantially. Because Dualhook onboards WABAs through Embedded Signup and operates with advanced whatsapp_business_management and whatsapp_business_messaging access, it can surface authorization and connection health — making a revoked permission or an incomplete-eligibility state visible in monitoring instead of as a sudden 403. See WhatsApp Business API Permissions, Maintain Account Health, and Embedded Signup. The actual grant/allowlist still happens in Meta's tools; Dualhook gives you early, accurate signal about which connection or scope is the problem.

Browse more docsStart Free Trial