WhatsApp Error 200: No Access Token / Permission Issue

WhatsApp error 200 means no access token was provided ('Provide valid app ID'); in practice it also surfaces as a missing-permission-to-send error. How to fix both.

TL;DR: WhatsApp error 200 means no access token was provided on the request. Meta's details string is "No access token was provided. The API returns the message 'Provide valid app ID'. This error occurs on certain GET endpoints (such as whatsapp_business_profile) when no token is included. Other endpoints may return error code 190 or 104 instead." In practice the 200 family also surfaces as a missing-permission error when your token can't act on the WABA. Fix it by including a valid token with the right permissions.

What Error 200 Means

200 is an authorization error. The base case is a request that omitted an access token entirely; Meta returns "Provide valid app ID." Meta's official details value is:

"No access token was provided. The API returns the message 'Provide valid app ID'. This error occurs on certain GET endpoints (such as whatsapp_business_profile) when no token is included. Other endpoints may return error code 190 or 104 instead."

Meta's table also documents the 200–299 range with details "Permission is either not granted or has been removed." So a 200-series error often means your token lacks a required business-asset permission rather than being missing entirely. A very common runtime message developers see in this family is: (#200) You do not have the necessary permissions required to send messages on behalf of this WhatsApp Business Account. (community-observed runtime string) — which points to a missing whatsapp_business_messaging permission on the token.

Where You See It

Synchronous Graph API response (403/permission class). The literal 200 / "Provide valid app ID" case shows on GET endpoints like whatsapp_business_profile when no token is sent; permission-range (200–299) errors and the "necessary permissions" runtime message appear on any endpoint whose required permission your token doesn't hold (e.g. sending a message). It is not a per-message webhook.

Common Causes

  • The request was sent with no access token (the literal 200 / "Provide valid app ID" case).
  • The token lacks whatsapp_business_management and/or whatsapp_business_messaging permissions (the "necessary permissions to send messages" runtime case).
  • A business-asset permission was granted earlier but later removed/revoked, or the asset assignment changed in the Business Portfolio.
  • Wrong token type (e.g. a user token where a system-user token is needed).

How to Fix It

  1. Confirm your request actually includes an Authorization: Bearer <token> header (or access_token param).
  2. Paste the token into the Access Token Debugger to verify it carries whatsapp_business_management and whatsapp_business_messaging.
  3. If permissions are missing, generate a new system-user token: Business settings → System users → Generate new token → select the app and add both WhatsApp permissions.
  4. For 200-series permission errors, reassign the correct Business Portfolio asset permissions to the app/system user.
  5. Retry; distinguish from 190 (expired/invalid token) and 104 (different auth failure).

How to Prevent It

  • Use long-lived system-user tokens for production and rotate them deliberately.
  • Monitor for 401/403 auth failures and alert when they spike.
  • Audit asset permissions after any change to portfolio membership or app configuration.

Related Errors

FAQ

Q: I get "Provide valid app ID" — what's wrong? A: Your request had no access token. Add a valid token; this is error 200, distinct from 190 (expired).

Q: I get "(#200) You do not have the necessary permissions required to send messages on behalf of this WhatsApp Business Account." Why? A: Your token is missing the whatsapp_business_messaging permission (or it was revoked). Regenerate a token with both WhatsApp permissions and reassign the WABA asset.

Q: Which permissions do I need? A: whatsapp_business_management and whatsapp_business_messaging.

Q: How is 200 different from 190? A: 200 = no token provided (or missing permission); 190 = token provided but expired/invalid.

How Dualhook Helps

This is a platform/permissions code where Dualhook adds substantial value. Dualhook connects your customer's WABA via Meta Embedded Signup and holds advanced whatsapp_business_management and whatsapp_business_messaging access, so it can surface authorization health and connection state — flagging when an asset permission is missing or a connection has degraded before your own GET/management/send calls start failing with 200/200-series errors. See WhatsApp Business API Permissions, Maintain Account Health, and Embedded Signup. Your own request still has to carry a valid token with the right scopes — Dualhook makes the permission/connection picture visible rather than guessing.

Browse more docsStart Free Trial