Integration and operations
- Validate that the WhatsApp number is connected before testing sends.
- For any non-2xx response, record the
statusCodeand response body — it makes debugging much easier. - For
429and5xxerrors, retry with exponential backoff and jitter. - Use webhooks to observe the full lifecycle (
sent/delivered/read/failed) in real time instead of polling.
Security
- Keep the API key on the backend only — never ship it to a browser or mobile app.
- Avoid logging sensitive data (the full key, or message content if your policy requires).
Quick FAQ
Got 403 with code TENANT_SCOPE_NOT_ALLOWED
You used a tenant-scoped key on a per-number endpoint (e.g. POST /v1/messages/send). Use the number-scoped key from the API Keys page (/api-keys) instead.
Got 403 with code NUMBER_SCOPE_NOT_ALLOWED
You used a number-scoped key on a tenant-only endpoint (e.g. /v1/numbers/*, /v1/branding). Use the tenant-scoped key from Profile → API.
READ status / message.read never arrives
The read event only fires when the recipient has WhatsApp read receipts enabled (Settings → Privacy). Otherwise the lifecycle stops at DELIVERED — this is a WhatsApp behavior, not a delivery failure.