We'll build a webhook server that:
- Receives incoming messages and status updates
- Verifies signatures securely
- Uses the official SDK for parsing and handling events
- Is ready to be extended into a chatbot or customer support tool
TL;DR: Learn how to create a secure, production-ready webhook server in Node.js + TypeScript that receives messages from WhatsApp using the official Facebook Node.js Business SDK. This setup works directly with WhatsApp Business API (via Meta/Facebook), so itβs perfect for chatbots, automation, and customer messaging integrations.
π¬ Why Use the Facebook Business SDK?
Instead of manually parsing WhatsApp webhook payloads, you can use the officially supported SDK:
npm install --save facebook-nodejs-business-sdk
This gives you:
- Verified request signature validation π
- Built-in message/status parsing β
- Consistent event types π§©
- Better error handling π‘οΈ
Perfect for building scalable WhatsApp integrations.
π§° Tech Stack
We'll use:
- Node.js + Express.js
- TypeScript
- Express middleware
- facebook-nodejs-business-sdk
- Optional: Zod for schema validation
- Optional: dotenv for environment variables
π¦ Step 1: Setup Your Project
mkdir whatsapp-webhook-server
cd whatsapp-webhook-server
npm init -y
npm install express body-parser dotenv cors helmet morgan
npm install --save facebook-nodejs-business-sdk
npm install --save-dev typescript ts-node @types/express zod
Create tsconfig.json:
{
"compilerOptions": {
"target": "ES2020",
"module": "CommonJS",
"esModuleInterop": true,
"strict": true,
"outDir": "./dist"
},
"include": ["src/**/*"]
}
ποΈ Step 2: Basic Server Setup
Create src/index.ts:
import express from 'express';
import bodyParser from 'body-parser';
import dotenv from 'dotenv';
dotenv.config();
const app = express();
const PORT = process.env.PORT || 3000;
// Middleware
app.use(bodyParser.json());
app.use(express.json());
// Health check route
app.get('/health', (req, res) => {
res.status(200).send('β
WhatsApp webhook server is running!');
});
app.listen(PORT, () => {
console.log(`π WhatsApp webhook server is listening on port ${PORT}`);
});
Run it with:
npx ts-node src/index.ts
Test:
curl http://localhost:3000/health
Output: β
WhatsApp webhook server is running!
πͺ Step 3: Create WhatsApp Webhook Endpoint
WhatsApp sends JSON payloads to your webhook URL when users send messages or message statuses change.
Letβs create /whatsapp endpoint using the SDK.
Create src/webhookHandler.ts:
import { Request, Response } from 'express';
import { Webhook, Message } from 'facebook-nodejs-business-sdk';
const APP_SECRET = process.env.WHATSAPP_APP_SECRET as string;
export const handleWhatsAppWebhook = (req: Request, res: Response) => {
try {
// Initialize Webhook class with app secret
const webhook = new Webhook(APP_SECRET);
// Validate and parse the request
const isValid = webhook.validateRequest(req);
if (!isValid) {
return res.status(400).send('Invalid signature');
}
const payload = webhook.getPayload();
// Handle challenge for initial setup
if (payload.object === 'whatsapp_business_account') {
payload.entry.forEach((entry: any) => {
entry.changes.forEach((change: any) => {
const value = change.value;
const message = value.messages?.[0];
if (message) {
console.log("π¬ Incoming message:", message);
// You can now reply using WhatsApp Cloud API
}
const status = value.statuses?.[0];
if (status) {
console.log("π Message status updated:", status);
}
});
});
// Confirm receipt
return res.status(200).send('EVENT_RECEIVED');
}
res.status(400).send('Unknown object type');
} catch (err) {
console.error("β οΈ Error handling webhook:", err);
res.status(500).send('Internal Server Error');
}
};
Add route in index.ts:
import { handleWhatsAppWebhook } from './webhookHandler';
app.post('/whatsapp', handleWhatsAppWebhook);
π Step 4: Expose Locally for Testing
Use ngrok to get a public URL:
npx ngrok http 3000
Youβll get something like https://abc123.ngrok.io.
Use this URL when setting up your webhook in the Meta Developer Portal under your WhatsApp Business App settings.
Set the callback URL to:
https://abc123.ngrok.io/whatsapp
And verify token to match your app logic.
π§ͺ Step 5: Add Schema Validation (Optional)
Validate the shape of incoming WhatsApp events before processing.
Example schema for message object:
// src/schemas/whatsappSchema.ts
import { z } from 'zod';
export const WhatsAppMessageSchema = z.object({
from: z.string(),
id: z.string(),
timestamp: z.string(),
text: z.object({ body: z.string() }).optional(),
type: z.enum(['text', 'image', 'video', 'document', 'audio']),
});
In handler:
import { WhatsAppMessageSchema } from '../schemas/whatsappSchema';
if (message) {
const parsed = WhatsAppMessageSchema.safeParse(message);
if (parsed.success) {
console.log("β
Valid message received:", parsed.data);
} else {
console.warn("β Invalid message structure");
}
}
Now malformed messages are caught early β οΈ.
π Step 6: Acknowledge Fast, Process Later
Always respond quickly to avoid retries.
Refactor to process asynchronously:
setTimeout(async () => {
await processIncomingMessage(parsed.data);
}, 0);
res.status(200).send("EVENT_RECEIVED");
Or better yet, push to a queue system like BullMQ or Redis.
π§Ό Step 7: Prepare for Production
- Store logs securely (use Winston/Pino)
- Set up rate limiting (
express-rate-limit) - Rotate secrets regularly
- Deploy to Vercel, Render, AWS, or Heroku π
- Use HTTPS (required by WhatsApp)
β Summary: What Youβve Built
| Feature | Description |
|---|---|
| βοΈ Webhook Receiver |
/whatsapp endpoint accepting POSTs |
| βοΈ Signature Verification | Uses Facebook SDK for HMAC validation |
| βοΈ Event Parsing | Parses messages/statuses out-of-the-box |
| βοΈ Async Processing | Acknowledge fast, process later |
| βοΈ External Integration | Works with WhatsApp Business API |
| βοΈ Secure by Default | Uses SDK, logging, secret checks |
π¨ Final Tips
- Always respond within seconds β‘
- Never throw unhandled errors β οΈ
- Log everything during dev π
- Store events for audit/retry (optional) ποΈ
- Rotate secrets regularly π
π’ Share This Post
If you found this useful, share it with your fellow devs and help others build secure, robust WhatsApp webhook servers too!
Top comments (0)