WhatsApp Error 190: Access Token Expired Fix

WhatsApp/Graph error 190 means your access token expired or is invalid. Why it happens and how to switch to a long-lived system-user token.

TL;DR: Error 190 is a Graph API authorization error meaning your access token has expired or been invalidated (HTTP 401). Fix it by replacing temporary/user tokens with a long-lived system-user token scoped to whatsapp_business_management and whatsapp_business_messaging, on the correct WABA and phone number.

What Error 190 Means

Meta's details string is: "Your access token has expired." (Confirmed on the live error table; code 190 sits in the Authorization errors group.) A common variant message is "Error validating access token: Session has expired…". In practice 190 is the access-token family: expired, invalid, or no longer valid for the asset you target. Per Meta's Access Token Guide, short-lived tokens last only a couple of hours and long-lived/system-user tokens last about 60 days — which is why integrations built on a temporary token stop working soon after setup.

Where You See It

An immediate API error (HTTP 401) on any Graph/Cloud API call — message sends, WABA queries, template APIs, subscription/config APIs. It blocks the request, so it is not delivered via the message status webhook.

Common Causes

A short-lived/temporary quickstart token used in production.
The token's session changed or the token was revoked.
App or business-asset permissions were removed.
The live backend points at a different business asset than the token can access.

How to Fix It

Create a system user in Meta Business Settings.
Generate a token for that system user, selecting whatsapp_business_management and whatsapp_business_messaging.
Confirm the token has access to the correct WABA, phone number, and app/business asset.
Store it securely, replace the expired token, and re-test the failing call.

How to Prevent It

Use long-lived system-user tokens, never console temporary tokens, in production.
Track expiry/rotation dates and alert before expiry, not after failure.
Re-validate asset assignments after business/admin changes.

/docs/whatsapp-error-131031 — account locked
/docs/whatsapp-error-100-webhook-override — subscribe before override
/docs/whatsapp-error-80007 — WABA rate limit
See the full error reference

FAQ

What is WhatsApp error 190? Your access token expired or was invalidated; the API returns 401.

Why does my token keep expiring? You're likely using a short-lived token (a couple of hours). Switch to a long-lived system-user token (~60 days).

Which permissions do I need? whatsapp_business_management and whatsapp_business_messaging.

Why does it work in the API Setup tool but not my backend? The tool is usually using a different token/asset/business context than your server.

How Dualhook Helps

Token and authorization health is an account/platform concern where Dualhook genuinely helps. Because Dualhook connects your WABA via Meta Embedded Signup and holds advanced access to whatsapp_business_management and whatsapp_business_messaging, it can surface connection/authorization health and alert you when a WABA's authorization drops — so a 190 doesn't silently break your webhook routing. See Maintain Account Health and Messaging Health Status. The token used by your own sending backend is yours to rotate; Dualhook surfaces status but does not send on your behalf.

WhatsApp/Graph Error 190: Access Token Expired