1. Open a Meta Business Account
Create one at business.facebook.com or use an existing one. Fill in legal business name, address, website, phone, and country. This data has to match whatever you submit for business verification later, so be exact.2. Create a Meta app
In developers.facebook.com, create an app of type Business and add the WhatsApp product.3. Prepare 3 public pages
You need three publicly accessible URLs before Meta will move you anywhere:- Privacy policy.
- Terms of service.
- Data deletion URL or written instructions.
4. Create a WhatsApp Business Account
Create a new WABA under your MBA, set its currency and timezone, and link it explicitly so the MBA owns the asset. The WABA is the container for your phone numbers, message templates, and webhook subscriptions, and Meta will not let you do anything WhatsApp-related until one exists and is owned correctly.5. Get a real phone number not connected to WhatsApp
Add a real phone number under the WABA. It cannot already be connected to any WhatsApp account, consumer app or Business app. If it is, you have to delete that account first, which deletes its chat history. Then verify the number via SMS or voice OTP.6. Create a system user and permanent token
Create a system user under the MBA, assign it Full Control on the app and on the WABA, and generate a non-expiring token with scopeswhatsapp_business_messaging and whatsapp_business_management.
7. Set up an HTTPS endpoint for webhooks
You need a public HTTPS endpoint with a valid TLS certificate to receive incoming messages. From there you also have to:- Register a callback URL and a verify token with your app’s WhatsApp product.
- Respond to Meta’s
GET ?hub.challenge=...handshake by echoing the challenge back. - Subscribe webhook fields. At minimum
messages. Addmessage_template_status_update,account_update, andphone_number_quality_updatefor full visibility. - Call
POST /{waba-id}/subscribed_appswith the system-user token. Without this, the webhook is registered but no events flow.
8. Set up a stable tunnel for local development
Meta will not calllocalhost. For local development you have to run a tunnel like ngrok to forward a public HTTPS URL to your machine. Free ngrok URLs rotate on every restart and force you to re-register the webhook in Meta’s App Dashboard each time, so a stable URL means a paid ngrok plan.
9. Submit App Review for each permission
whatsapp_business_messaging (send and receive) and whatsapp_business_management (manage WABAs, templates, numbers) both need Advanced access, which goes through App Review. Each permission is a separate submission, and each submission requires:
- A detailed text description of how the app uses the permission.
- A screencast showing the full user flow end-to-end, including consent screens and the action the permission enables.
- Test credentials Meta reviewers can use to reproduce the flow.
- Platform info (web, iOS, Android URLs).
10. Complete data handling
Fill in Meta’s Data Handling questionnaire describing what data you collect, store, and share. Then run the Data Use Checkup, which has to be repeated annually after the first pass to keep advanced permissions live.11. Switch the app to live
Once App Review is approved and Business Verification on the MBA is done (anywhere from 10 minutes to roughly 14 working days depending on country and document quality), flip the app from Development to Live. Advanced access on the WhatsApp permissions kicks in for real customers, not just test numbers, the moment the toggle flips.Why HookMyApp
It all comes down to three things. To receive messages, you give Meta a webhook URL so it knows where to send them. To send messages, you need an access token and a phone number ID. HookMyApp solves all three in five minutes, plus a better way to develop locally.Next steps
- Sandbox: Start sending and receiving in minutes with no Meta paperwork.
- Connect WhatsApp: Embedded signup when you are ready for your own number.