I open-sourced my self-hosted WhatsApp API platform after months of building

#opensource #whatsapp #selfhosted #node

After months of building and dogfooding on production, I open-sourced WaSphere today — a self-hosted WhatsApp API platform.

What it is

A Twilio alternative for WhatsApp that runs on your own server. MIT licensed, one docker-compose command to deploy.

Why I built it

Twilio's WhatsApp pricing breaks small businesses. The few self-hosted options out there are either abandoned, missing security basics (most have no SSRF guard on webhook delivery), or have brutal developer experience.

WHMCS resellers and dev teams deserve better.

What's in v1.0

One docker-compose command deploys the full stack
Multi-session — connect unlimited WhatsApp accounts per instance
14 message types via REST API
HMAC-signed webhooks (HMAC-SHA256 over timestamp.body)
SSRF guard with DNS pinning + private-IP denylist
Scoped API keys with 12 granular permissions + per-session scoping
Developer dashboard with audit log and dark mode
MIT licensed

Security decisions

The security pass before opening it up was non-negotiable:

SSRF guard with DNS pinning + manual redirect (blocks cloud metadata)
AES-256-GCM for stored secrets
Argon2id passwords + timing-safe login
JWT refresh-token rotation with reuse detection
Registration locks after first admin

Architecture

Two cleanly separated services so the GPL-licensed Baileys engine stays isolated from the application layer:

WA Server — WhatsApp gateway (the GPL boundary)
Dashboard API — auth, workspaces, webhooks, proxy
Dashboard UI — Next.js console

The GPL/MIT licensing boundary is real and important. Baileys only runs in the WA Server binary. The dashboard, API, and auxiliary code stay MIT-clean.

DEV Community