WhatsApp webhook setup with direct Meta-to-your-server routing
Dualhook helps teams set up a WhatsApp webhook so Meta sends message-path webhooks directly to their own server. That keeps Dualhook out of the message path while still handling setup, Webhook Override, and operational monitoring around the connection.
Configure your webhook URL and verify token before Embedded Signup starts, let Dualhook apply Webhook Override automatically, and receive WhatsApp messages directly from Meta with no Dualhook message proxy.
What is a WhatsApp webhook?
A webhook is the HTTPS endpoint that Meta calls when something happens in your WhatsApp Business API or Cloud API setup. Inbound customer messages, delivery and read updates, and other webhook events are delivered as HTTP requests to your server.
Teams usually search for phrases like WhatsApp webhook, WhatsApp API webhook, or WhatsApp Cloud API webhook, even though Meta often uses broader platform terms in its documentation. This page is the plain-language overview of that setup, while the docs cover the payloads and implementation details.
What is Webhook Override and why does it matter?
Dualhook uses Webhook Override so message-path events are routed directly from Meta to your own endpoint. That means the customer endpoint receives the actual message webhooks, while Dualhook's app-level callback remains focused on management events and operational monitoring.
This is the same routing model behind Dualhook's privacy architecture. For the detailed field-level webhook format, see the messaging webhook reference.
How Dualhook sets up the webhook during connection setup
Dualhook asks for this automatically when you click Connect WhatsApp. You do not need to configure the webhook in a separate admin screen first, and Meta does not ask for these values inside the popup itself.
The first step in the connection flow is the setup dialog that collects your webhook URL and verify token before Embedded Signup opens. Those values are then stored on the connection and used during the auto-subscribe step after signup returns, so Webhook Override can be configured before message-path webhooks or imported chat history start landing.
What the setup step looks like
Set up your WhatsApp connection
Configure your webhook endpoint first, then continue to Meta's secure embedded signup.
Connection Name
Webhook URL
Must be HTTPS. Meta will deliver messages and any approved one-time history/contact sync directly to this endpoint.
Verify Token
Use this token in your webhook endpoint to verify Meta's GET handshake requests.
What Dualhook collects automatically in that first step
- Your HTTPS webhook URL
- Your webhook verify token
- A connection name for the setup
What happens after signup returns
- You enter the webhook URL and verify token before Meta opens. In the signup UI, Dualhook asks for your `webhookUrl` and `verifyToken` before the Embedded Signup popup starts.
- Dualhook stores both values on the connection. Those values become part of the connection configuration so they can be used during the subscribe step after signup returns.
- After signup returns and the WABA is known, Dualhook subscribes the app. Dualhook calls `POST /<WABA_ID>/subscribed_apps` against Meta after the relevant business assets have been discovered.
- The payload includes your webhook URL and verify token. Dualhook sends `override_callback_uri` and `verify_token` so Meta knows which endpoint to verify and where message-path webhooks should go.
- Meta verifies your endpoint with a GET challenge. Meta sends a verification request to your webhook endpoint using the verify token you entered in Dualhook.
- If verification succeeds, message webhooks go straight to your endpoint. From that point on, inbound messages and status updates are delivered directly from Meta to your server.
POST /<WABA_ID>/subscribed_apps
{
"override_callback_uri": "https://your-server.com/webhooks/whatsapp",
"verify_token": "<the token you entered in Dualhook>"
}How Meta verifies your webhook endpoint
Meta verifies callback ownership by sending a GET request to your endpoint. Your code needs to compare `hub.verify_token` with the token you entered in Dualhook. If it matches, return the raw `hub.challenge` as plain text with `HTTP 200`. If it does not match, return `HTTP 403`.
GET /webhooks/whatsapp?hub.mode=subscribe&hub.verify_token=<YOUR_TOKEN>&hub.challenge=1903260781
if request.method == "GET" and query["hub.mode"] == "subscribe":
if query["hub.verify_token"] == EXPECTED_VERIFY_TOKEN:
return 200 text/plain query["hub.challenge"]
else:
return 403
What your endpoint must support
- A public HTTPS URL that Meta can reach from the internet.
- A GET verification handler for the challenge request.
- A POST handler for incoming message and status webhooks.
- Signature validation for POST requests as a best practice.
For the payload shape, delivery guidance, and POST signature validation details, use the messaging webhook documentation.
Common webhook setup mistakes
- Using the wrong verify token in your GET verification handler.
- Returning JSON instead of the raw plain-text challenge.
- Using a local, private, or otherwise non-public URL.
- Pointing Meta at the wrong environment URL.
- Expecting Dualhook to receive and proxy your message webhooks.
Frequently asked questions about WhatsApp webhooks
What is a WhatsApp webhook?
A WhatsApp webhook is the HTTP endpoint that receives inbound messages, delivery updates, and related events from Meta for a WhatsApp Business API or Cloud API setup.
What is Webhook Override in Dualhook?
Webhook Override is the Meta configuration Dualhook uses so message-path webhooks go directly from Meta to your own endpoint instead of through Dualhook's app-level callback.
When do I set the webhook URL and verify token in Dualhook?
Before the Meta Embedded Signup popup opens. Dualhook collects the webhook URL and verify token first, stores them on the connection, and then uses them during the auto-subscribe step after signup completes.
How does Meta verify my webhook endpoint?
Meta sends a GET request with hub.mode=subscribe, hub.verify_token, and hub.challenge. Your endpoint must compare the verify token and, if it matches, return the raw hub.challenge as plain text with HTTP 200.
Does Dualhook store or proxy my WhatsApp messages?
No. With Dualhook, message-path webhooks go directly from Meta to your server. Dualhook handles setup, monitoring, and management-event processing rather than storing or proxying message content.
Implementation Guides
Start with the guide that matches your stack. Direct code receivers and automation platforms are split here because they fit different webhook architectures.
Automation Platforms
n8n Webhook Integration
Use n8n as the direct Meta webhook receiver with raw-body signature validation and Graph API sends.
Make Webhook Integration
Use Make Custom Webhooks for direct Meta deliveries, HMAC validation, and outbound template automation.
Zapier Webhook Integration
Use a lightweight gateway for Meta verification, then forward approved WhatsApp events into Zapier.
Code Guides
Node.js Webhook Receiver
Build an Express endpoint for Meta verification, signature validation, and direct WhatsApp webhook processing.
Laravel Webhook Integration
Build a Laravel webhook controller for direct Meta deliveries, verification, and template sends.
Shopify WhatsApp Integration
Connect Shopify order events to WhatsApp template messages while replies still arrive directly via Dualhook routing.
Keep reading
Go deeper into Webhook Override, messaging webhook payloads, privacy, and the wider WhatsApp Business API setup.
Webhook Override docs
See the exact override mechanism Dualhook configures on your WABA subscription.
Messaging webhook reference
Review verification, signature validation, payload structure, and processing guidance.
Privacy architecture
See why direct Meta-to-your-server routing matters for message privacy and system boundaries.
WhatsApp Business API guide
Understand where webhooks fit inside the broader Cloud API and Dualhook setup.
Ready to connect your webhook?
Enter your webhook URL and verify token first, then let Dualhook handle the Embedded Signup and Webhook Override flow.