Skip to main content

WhatsApp Cloud API - Business Encryption API

Copy for LLM View as Markdown Version v23.0 API for managing WhatsApp Business Account encryption settings and public key management. This endpoint allows businesses to set up and manage encryption for their WhatsApp Business messaging by uploading and retrieving business public keys used for payload encryption.

Base URL

| https://graph.facebook.com |

Endpoints

| GET | ///whatsapp_business_encryption | | POST | ///whatsapp_business_encryption |

GET ///whatsapp_business_encryption

Retrieve the current business public key and its signature verification status. This endpoint returns the public key that is currently configured for encrypting message payloads and indicates whether the stored signature is valid or has a mismatch. Use Cases: Verify current encryption configuration Check public key signature validation status Retrieve public key for client-side encryption setup Monitor encryption key status for security compliance Rate Limiting: Standard Graph API rate limits apply. Use appropriate retry logic with exponential backoff. Caching: Public key information can be cached for moderate periods, but signature status may change and should be checked regularly for security validation.

Request Syntax

GET///whatsapp_business_encryption Try it Select language cURLJavaScriptPython 
curl --request GET \
  --url 'https://graph.facebook.com/{Version}/{Phone-Number-ID}/whatsapp_business_encryption' \
  --header 'Authorization: Bearer <Token>' \
  --header 'Content-Type: application/json' \
  --data '{}'
Select status code 200400401403404422429500 
{
  "valid_key": {
    "summary": "Valid public key with verified signature",
    "value": {
      "data": [\
        {\
          "business_public_key_signature_status": "VALID"\
        }\
      ]
    }
  },
  "mismatch_key": {
    "summary": "Public key with signature mismatch",
    "value": {
      "data": [\
        {\
          "business_public_key": " ",\
          "business_public_key_signature_status": "MISMATCH"\
        }\
      ]
    }
  }
}
Header Parameters
User-Agentstring The user agent string identifying the client software making the request. Authorizationstring·required Bearer token for API authentication. This should be a valid access token obtained through the appropriate OAuth flow or system user token. Path Parameters
Versionstring·required Graph API version to use for this request. Determines the API behavior and available features. Phone-Number-IDstring·required Your WhatsApp Business phone number ID. This ID represents the phone number entity and can be obtained from your WhatsApp Business Account phone numbers list. Query Parameters
fieldsstring Comma-separated list of fields to include in the response. If not specified, all available fields will be returned. Available fields: business_public_key, business_public_key_signature_status Responses
Retrieve the current business public key and its signature verification status. This endpoint returns the public key that is currently configured for encrypting message payloads and indicates whether the stored signature is valid or has a mismatch. Use Cases: Verify current encryption configuration Check public key signature validation status Retrieve public key for client-side encryption setup Monitor encryption key status for security compliance Rate Limiting: Standard Graph API rate limits apply. Use appropriate retry logic with exponential backoff. Caching: Public key information can be cached for moderate periods, but signature status may change and should be checked regularly for security validation. 200 Successfully retrieved business encryption public key information Content Type: application/json Schema: object Show child attributes
dataarray of WhatsAppBusinessEncryptionInfo Show child attributes
data[]WhatsAppBusinessEncryptionInfo Business encryption public key information and verification status Show child attributes
business_public_keystring·required The business public key used for encrypting message payloads. This key is used to encrypt data channel requests and responses. Show child attributes
business_public_key_signature_statusBusinessPublicKeyVerificationStatus Status of business public key signature verification 400 Bad Request - Invalid parameters or malformed request Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 401 Unauthorized - Invalid or missing access token Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 403 Forbidden - Insufficient permissions or access denied Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 404 Not Found - Phone number ID does not exist or is not accessible Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 422 Unprocessable Entity - Request parameters are valid but cannot be processed Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 429 Too Many Requests - Rate limit exceeded Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 500 Internal Server Error - Unexpected server error Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes Select language cURLJavaScriptPython 
curl --request GET \
  --url 'https://graph.facebook.com/{Version}/{Phone-Number-ID}/whatsapp_business_encryption' \
  --header 'Authorization: Bearer <Token>' \
  --header 'Content-Type: application/json' \
  --data '{}'
Select status code 200400401403404422429500 
{
  "valid_key": {
    "summary": "Valid public key with verified signature",
    "value": {
      "data": [\
        {\
          "business_public_key_signature_status": "VALID"\
        }\
      ]
    }
  },
  "mismatch_key": {
    "summary": "Public key with signature mismatch",
    "value": {
      "data": [\
        {\
          "business_public_key": " ",\
          "business_public_key_signature_status": "MISMATCH"\
        }\
      ]
    }
  }
}

POST ///whatsapp_business_encryption

Upload and configure a business public key for message payload encryption. This endpoint accepts a business public key in PEM format, validates it, and stores it with a cryptographic signature for future use in encrypting message payloads and data channel requests. Use Cases: Initial setup of encryption for WhatsApp Business messaging Update existing public key for key rotation Enable secure payload encryption for sensitive business communications Configure encryption keys for compliance requirements Key Requirements: Must be a valid RSA public key in PEM format Key must meet Meta’s security standards for encryption Only one active public key per phone number at a time Previous keys are replaced when new ones are uploaded Rate Limiting: Standard Graph API rate limits apply. Key uploads may have additional security-related rate limiting to prevent abuse.

Request Syntax

POST///whatsapp_business_encryption Try it Select language cURLJavaScriptPython 
curl --request POST \
  --url 'https://graph.facebook.com/{Version}/{Phone-Number-ID}/whatsapp_business_encryption' \
  --header 'Authorization: Bearer <Token>' \
  --header 'Content-Type: multipart/form-data' \
  --data '{
  "business_public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----\n"
}'
Select status code 200400401403404422429500 
{
  "success": {
    "summary": "Successful key upload",
    "value": {
      "success": true
    }
  }
}
Header Parameters
User-Agentstring The user agent string identifying the client software making the request. Authorizationstring·required Bearer token for API authentication. This should be a valid access token obtained through the appropriate OAuth flow or system user token. Path Parameters
Versionstring·required Graph API version to use for this request. Determines the API behavior and available features. Phone-Number-IDstring·required Your WhatsApp Business phone number ID. This ID represents the phone number entity and can be obtained from your WhatsApp Business Account phone numbers list. Request BodyRequired
Content Type: multipart/form-data Schema: WhatsAppBusinessEncryptionUploadRequest Show child attributes
WhatsAppBusinessEncryptionUploadRequest
business_public_keystring·required The business public key in PEM format to be uploaded and signed. Must be a valid RSA public key that will be used for payload encryption. Responses
Upload and configure a business public key for message payload encryption. This endpoint accepts a business public key in PEM format, validates it, and stores it with a cryptographic signature for future use in encrypting message payloads and data channel requests. Use Cases: Initial setup of encryption for WhatsApp Business messaging Update existing public key for key rotation Enable secure payload encryption for sensitive business communications Configure encryption keys for compliance requirements Key Requirements: Must be a valid RSA public key in PEM format Key must meet Meta’s security standards for encryption Only one active public key per phone number at a time Previous keys are replaced when new ones are uploaded Rate Limiting: Standard Graph API rate limits apply. Key uploads may have additional security-related rate limiting to prevent abuse. 200 Successfully uploaded and configured business encryption public key Content Type: application/json Schema: WhatsAppBusinessEncryptionUploadResponse Show child attributes
WhatsAppBusinessEncryptionUploadResponse
successboolean·required Indicates whether the public key was successfully uploaded and signed 400 Bad Request - Invalid parameters or malformed request Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 401 Unauthorized - Invalid or missing access token Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 403 Forbidden - Insufficient permissions or access denied Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 404 Not Found - Phone number ID does not exist or is not accessible Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 422 Unprocessable Entity - Request parameters are valid but cannot be processed Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 429 Too Many Requests - Rate limit exceeded Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes 500 Internal Server Error - Unexpected server error Content Type: application/json Schema: GraphAPIError Show child attributes
GraphAPIError
errorobject·required Show child attributes
messagestring·required Human-readable error message
typestring·required Error category type
codeinteger·required Numeric error code
error_subcodeinteger More specific error subcode when available
fbtrace_idstring Unique identifier for debugging and support requests with Meta
is_transientboolean Indicates whether this error is temporary and the request should be retried
error_user_titlestring User-friendly error title for display purposes
error_user_msgstring User-friendly error message for display purposes Select language cURLJavaScriptPython 
curl --request POST \
  --url 'https://graph.facebook.com/{Version}/{Phone-Number-ID}/whatsapp_business_encryption' \
  --header 'Authorization: Bearer <Token>' \
  --header 'Content-Type: multipart/form-data' \
  --data '{
  "business_public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----\n"
}'
Select status code 200400401403404422429500 
{
  "success": {
    "summary": "Successful key upload",
    "value": {
      "success": true
    }
  }
}

Authentication

| Scheme | Type | Location | | bearerAuth | HTTP Bearer | Header: Authorization |

Usage Examples

bearerAuth: Include Authorization: Bearer your-token-here in request headers

Global Authentication Requirements

All endpoints require: bearerAuth Did you find this page helpful? Thumbs up icon Thumbs down icon