WhatsApp and Meta Setup
The integration uses Meta Graph API v25.0, a public WordPress webhook, HMAC request signatures, and the active SmartSite assistant.
WhatsApp setup joins three systems: the public WordPress REST webhook, a Meta app and phone-number resource, and the SmartSite response service. Meta first verifies the callback with your chosen Verify Token. It then signs each POST body with the App Secret; SmartSite validates that signature before reading the text, marking it read, producing an answer, and sending one or more Graph API reply messages.
Work through this page by starting when you copy the displayed webhook url ending in /wp-json/smartsite/v1/webhook/whatsapp. Finish by making sure you send a text message and verify reply, mark-read behavior, logging, and security checks; if that check fails, the field descriptions help identify whether the problem belongs to content, behavior, transport, or operations.
What this feature does and when to use it
Section titled “What this feature does and when to use it”Connect a Meta app and WhatsApp Business phone number after the site is reachable over HTTPS.
Use this feature in the following situations:
- You are connecting a Meta WhatsApp test or production number to SmartSite.
- Meta can reach WordPress but webhook verification, signatures, or reply delivery still needs configuring.
- You want the optional WhatsApp link to appear on the website widget’s landing screen.
Where to find it
Section titled “Where to find it”Before you begin
Section titled “Before you begin”- SmartSite Assistant is installed and activated.
- You are signed in with an account that can manage WordPress options.
- A Meta app with WhatsApp product access and an approved/test phone setup.
- A public HTTPS WordPress REST URL reachable by Meta.
- A secret manager for the access token, app secret, and verify token.
Set it up step by step
Section titled “Set it up step by step”- Copy the displayed webhook URL ending in /wp-json/smartsite/v1/webhook/whatsapp.
- In Meta, configure that callback URL and subscribe to message events.
- Create a strong Webhook Verify Token and enter the identical value in Meta and WordPress.
- Enter Phone Number ID (6–24 digits), Access Token, and App Secret (32 hexadecimal characters).
- Optionally enter Business Account ID; the current runtime does not otherwise use it.
- Optionally enter the public WhatsApp phone number using country code and digits without + for the website landing link.
- Save, run Test Connection, then Enable.
- Send a text message and verify reply, mark-read behavior, logging, and security checks.
Fields, controls, and important values
Section titled “Fields, controls, and important values”These values connect one Meta phone resource to the plugin and protect incoming webhook traffic. Correct identifiers and credentials make delivery possible, while the public phone number only creates the visitor link. None of them improves answer quality directly: WhatsApp receives better replies only when the active assistant, knowledge, and tools are already well configured.
| Field, control, or status | What SmartSite Assistant does with it | How to use it and why it matters |
|---|---|---|
| Phone Number ID | Required 6–24 digit Meta phone resource ID. | Copy the 6–24 digit phone-resource identifier from the Meta app configuration, not the human-readable WhatsApp number. The plugin uses it in Graph API requests, so an ID for another number sends or tests against the wrong resource. |
| Business Account ID | Optional stored field; not used in the current message flow. | Store the matching WhatsApp Business Account identifier only for configuration records or future use. The current message flow does not read this field, so changing it cannot fix connection or delivery failures. |
| Access Token | Required bearer token for Meta Graph calls. | Paste the Meta bearer token authorized for the configured phone resource. Protect and rotate it like a password; the connection test can validate Graph access, but incoming webhook verification and signatures require separate fields. |
| App Secret | Required 32-character hexadecimal secret used to validate X-Hub-Signature-256. | Paste the 32-character hexadecimal secret for the same Meta app. The plugin uses it to verify the SHA-256 signature on incoming POST webhooks, so a mismatch causes real events to be rejected even if outgoing Graph calls work. |
| Webhook Verify Token | User-defined shared value required for Meta GET webhook verification, even though the UI does not mark it required. | Create a strong private value and enter the identical value in Meta’s webhook setup. Meta sends it during the GET challenge; it is required by the implementation even though the current UI does not visually mark it required. |
| WhatsApp Phone Number | Optional digits with country code and no plus sign; creates the public wa.me link on the widget landing screen. | Enter the public number as country-code digits without a plus sign. This creates the visitor-facing wa.me link on the widget landing screen; it is not used instead of Phone Number ID for Graph API calls. |
| Message length | Replies are split into chunks of at most 4,096 characters at paragraph, sentence, or word boundaries. | No administrator field changes the 4,096-character chunk size. Expect long responses to be divided at readable boundaries, and test a long synthetic answer so downstream ordering and readability are acceptable. |
How to confirm it is working
Section titled “How to confirm it is working”Confirm WhatsApp and Meta Setup with the smallest representative end-to-end test. When the result differs from the success description, keep the exact input and state so troubleshooting can identify the responsible layer without changing unrelated AI settings.
Practical example
Section titled “Practical example”Enter 385XXXXXXXXX—not +385…—for the optional public link, while using the separate numeric Phone Number ID for API calls.
Recommended practice
Section titled “Recommended practice”- Change one part of WhatsApp and Meta Setup at a time and keep a short record of the previous value and test result.
- Verify the saved result in the screen, visitor session, or connected service that actually consumes the setting.
Important warnings
Section titled “Important warnings”Common problems and focused checks
Section titled “Common problems and focused checks”| Problem | What to check and what to do next |
|---|---|
| Meta cannot verify the webhook. | Confirm public HTTPS reachability and that the identical nonempty Verify Token is stored on both sides. |
| Signed POST is rejected. | Confirm the App Secret belongs to the same Meta app; the plugin validates X-Hub-Signature-256 against the raw body. |
| WhatsApp and Meta Setup is missing or does not match this guide. | Confirm the plugin is active and the account can manage WordPress options. Test Meta connection, webhook verification, signed delivery, and the shared AI pipeline as separate stages. |
| A change on WhatsApp and Meta Setup does not produce the expected result. | Keep the exact notice and test case, then review the browser console and WordPress/PHP log. Test Meta connection, webhook verification, signed delivery, and the shared AI pipeline as separate stages. |
Screen reference
Section titled “Screen reference”- Capture
- Show the WhatsApp configuration panel with all secret fields masked, the webhook URL visible, and fictional numeric IDs.
- Show
- Webhook URL, Enable, Phone Number ID, Business Account ID, masked Access Token/App Secret, Verify Token, public phone, Test Connection
- Viewport
- Desktop, 1440 × 900
- Annotate
- Use numbered callouts only for controls referenced in the procedure.
- Redact
- OpenAI keys, tokens, secrets, personal information, private URLs, IP addresses, and conversation text