API Design & Data Security

Business Solution Providers (BSPs), selected by Facebook/WhatsApp, stand for the quality and conformity of the processing of WhatsApp messages as required by Facebook.

The communication via WhatsApp Business API is based on the WhatsApp set-up of virtual machines or virtual containers with WhatsApp software installed that communicates with the WhatsApp server. The software (docker image) for encryption and decryption of WhatsApp messages must be hosted by the Facebook Business Solution Provider (BSP), usually in a cloud environment. When we talk about hosting of WABAs, it means the hosting of the encryption software that enables encrypted end-to-end communication between business and its customers. At the same time, this set-up enables conformity in terms of data security.

How do WhatsApp API and WABA hosting work technically?

Messages are encrypted between the WhatsApp App on a users’ smartphone through the WhatsApp data centers until it reaches docker containers hosted by an official Facebook Business Solution Provider (BSP) like 360dialog. Only in these dockers the decryption takes place. These dockers are installed in a highly redundant and multi-connect environment. These are the (modular) components:

1. REST API container: The API container provides endpoints to interact with the Business API.

2. Backend service container(s): The backend service runs the application communicating with the WhatsApp servers, it uses encrypted connections exclusively.

3. External/containerized database: WhatsApp provides for the database two options: A connection to an existing MySQL database server or a database container.

4. Backend processing: When the docker container receives an incoming message, it will trigger a (pre-configured) webhook including message details (attachments are only sent as links).

The API acts like a third-party, remote REST API. 360dialog has built a solid and redundant infrastructure around this. Because of using Docker, the setup is highly scalable.

After contracting WABA API hosting and integrating into your solution, in order to send a message via the 360dialog WhatsApp API you need to make the two following HTTP calls:

1. Check contact availability

https://developers.facebook.com/docs/whatsapp/api/contacts

post
/contacts

https://waba.360dialog.io/v1/contacts
Request
Response
Request
Body Parameters
blocking
optional
string
no_wait (default), wait
contacts
required
array
+4912345678910
force_check
optional
boolean
false (default), true
Response
200: OK
{
"contacts": [ {
"input": "+55123456789",
"wa_id": "55123456789",
"status": "valid" <- we can send messages to valid contacts only
}]
}

Example Request:

POST https://waba.360dialog.io/v1/contacts
{
"blocking": "wait",
"contacts": [
"+55123456789"
],
"force_check": true
}

2. Send a message

https://developers.facebook.com/docs/whatsapp/api/messages

post
/messages

https://waba.360dialog.io/v1/messages
Request
Response
Request
Body Parameters
recipient_type
optional
string
individual
to
required
string
wa_id from /v1/contacts request
type
optional
string
text (default)
text
required
object
contains body field
Response
201: Created
{
"messages": [
{
"id": "gBGHSRUUIXKJTwIJVQgXRR0rdXiv"
}
],
"meta": {
"api_status": "stable",
"version": "2.31.5"
}
}

Example Request:

POST https://waba.360dialog.io/v1/messages
{
"recipient_type": "individual",
"to": "55123456789", <- wa_id from /v1/contacts request
"type": "text",
"text": {
"body": "Hello, dear customer!"
}
}

After sending, the message will be processed to the WhatsApp Business container where it is encrypted and dispatched into the WhatsApp infrastructure and finally pushed to the targeted device, where the message is decrypted: The Hello, dear customer notification pops up on the screen of the device.

How is GDPR compliance guaranteed?

For European businesses storage and processing of user data (according to the GDPR) needs to happen within the EU. 360dialog’s services include WABA docker hosting in the country or legal frame the business requires it. As e.g. many Russian Customers require hosting in Russia, 360dialog is the right partner for them. Above all: 360dialog does not store any decrypted messages.

Does the server need to access the internet through 80/443 port?

Our servers are working only in HTTP SSL connection on port 443 (standard for HTTPS).

Communication to us is always realised by address IP 35.242.231.92. Communication from us is always realised from one of those IPs:

  • 35.198.146.146

  • 34.107.11.70

  • 35.198.149.42

  • 34.107.127.141

  • 34.107.46.228

  • 35.246.233.206

  • 34.107.83.191

  • 35.246.191.205

  • 35.242.238.177

  • 35.246.218.172

  • 35.234.98.51

  • 34.89.217.102