Overview

The WhatsApp Business API allows medium and large businesses to communicate with their customers at scale. Using the API, businesses can build systems that connect thousands of customers with agents or bots, enabling both programmatic and manual communication. Additionally, you can integrate the API with numerous backend systems, such as CRM and marketing platforms.

Businesses looking to use the API have two hosting options: On-Premises and Cloud API. In general, we recommend that the majority of businesses use the Cloud API due to ease of implementation and maintenance.

A given phone number can only be on one platform at a time: Either on Cloud API or on On-Premises. This means that you cannot use a production phone number on both On-Premises and Cloud API at the same time.

Cloud API Overview

To use the Cloud API, businesses make calls to Meta’s Graph API to send messages and Webhooks to receive events, such as messages and status updates. The Graph API is a form of Remote Procedure Call expressed over HTTP, where operations and their parameters are expressed using a combination of URL parameters, headers, and request body.

A call to the Graph API from UNIX-based command lines looks like this:

curl -X POST \
  'https://graph.facebook.com/v14.0/FROM_PHONE_NUMBER_ID/messages' \
  -H "Authorization: ACCESS_TOKEN" \
  -d '{
    "messaging_product": "whatsapp",
    "to": "1650XXXXXXX",
    "text": {"body" : "hi"}
   }'

Compared to the On-Premises implementation, a Graph API integration relies on a different authentication mechanism (see User Access Token), a different Webhook setup process (see Setup Webhooks), and has different latencies and error rates. For more information on how to use the Graph API, see the Graph API Developer Documentation.

Rate Limits

Cloud API follows Business Use Case Rate Limits. Each WhatsApp Business Account (WABA) has a call count rate limit and each call made by your app counts toward the limit. An app’s call count for a WABA is the number of calls it can make to business accounts under this WABA during a rolling one hour window and is calculated as follows:

Calls within one hour for a WABA = 1800000 * Number of Registered Numbers under this WABA

You will receive an error code 80007 when you hit call limits.

Besides platform rate limits, we have the following rate limits applicable to Cloud API accounts:

Available Metrics

As a Cloud API user, you can see the number of messages sent and delivered, as well as other metrics. See Get Account Metrics for information.

Scaling

Within Meta's infrastructure, the Cloud API automatically scales and adjusts to handle your workload, within your rate limit (messaging volume and number of WhatsApp business accounts).

Data Privacy & Security

See our Privacy & Security Overview for information.

Encryption

With the Cloud API, every WhatsApp message continues to be protected by Signal protocol encryption that secures messages before they leave the device. This means messages with a WhatsApp business account are securely delivered to the destination chosen by each business.

The Cloud API uses industry standard encryption techniques to protect data in transit and at rest. The API uses Graph API for sending messages and Webhooks for receiving events, and both operate over industry standard HTTPS, protected by TLS. See our Encryption Overview whitepaper for additional details.

See our Encryption Overview whitepaper for additional details.

On-Premises API vs. Cloud API Comparison

Key Differences

Key DifferencesOn-Premises APICloud API

Hosting

Individual businesses and/or BSPs need to host the API software on their own servers and in data centers.

Meta hosts the API.

Maintenance

Individual businesses and/or BSPs need to perform API software upgrades periodically.

API software upgrades are performed by Meta and new features and security updates are available automatically on the Cloud API.


Developers no longer need to do setup, maintenance or scaling work. There will be minimal code changes required to adapt to longer-term API changes.

Costs

Businesses or BSPs need to:

  • Pay the costs of setting up and maintaining their servers.
  • Pay per message sent or per conversation, following the rules described here.

Meta pays for the hosting costs.


Businesses only pay per message sent or conversation, per the rules described here.

API Protocol

On-Premises REST API.

Graph API.

Message Throughput

(Per Second)

Send up to 70 text messages per second for single-connect.


Send up to 250 text messages per second for multi-connect.


Sending media messages may reduce these numbers.

Up to 80 messages per second of combined sending and receiving (inclusive of text and media messages) between one business number and many consumer numbers. In the event of high system loads, a business may experience reduced message throughput.


Starting in July 2022, Cloud API will support up to 250 messages per second of combined sending and receiving (inclusive of text and media messages), by request.

Certificate Management

You manage your Certificate Authority (CA) and Webhook CA certificates.

Meta manages the CA certificates.


For a Webhook CA certificate, your Webhooks server needs to support HTTPS and have a valid CA-chained TLS/SSL certificate installed. Self-signed certificates are not supported.

Media Provider API

Supported.

Deprecated. To upload media to the Cloud API, follow these steps.

Stickerpack Management API

Supported.

Currently not supported.

Disaster Recovery

Business/BSP needs to deploy in “high availability” model.

No SLA.

Single-tenant vs. Multi-tenant

Single-tenant (single phone number per deployment).

Not applicable. Multiple phone numbers can be registered on Cloud API.

Send Message Request Processing Latency

Dependent on business deployment location (i.e. latency from their infra to WhatsApp infra in North America).

Expect the latency between receiving a request and sending a response on Meta servers to be:

90th percentile: ~1s

99th percentile: ~2s


There is a plan to eventually get to

99th percentile: ~500ms

Server Location

Dependent on business.

North America.

Baseline Request Error Rates

Not published. Solution has retry built in except when the error is not intermittent (i.e. business error, setup error or user error).

0.1%. Solution has retry built in except when the error is not intermittent (i.e. business error, setup error or user error).

Monitoring Metrics Available

Insights data available.


Businesses are responsible for setting up monitoring of the on-premise solution themselves (monitoring containers included in packaging).

Insights data available.


Meta monitors instance health.

SLA (Uptime)

Not specified because it depends on an end-to-end API solution, which includes the businesses or BSP’s infrastructure.

Commercially reasonable efforts to meet our goals of 99.9% at GA.

Support

7x24 for critical issues on a best effort basis.

7x24 for critical issues. Continuous work until the issue is resolved or mitigated.

Deprecations

The Check Contacts and the Media Provider APIs are still in use for the On-Premises API, but they have been deprecated with the Cloud API. See more information below:

On-Premises APICloud API

Check Contacts API

For Cloud API, this call is no longer required to send messages. You can just use the person’s phone number.

Media Provider API

To upload media to the Cloud API, follow these steps.