Developer guide
Login with WhatsApp
Let users sign in by sending a short LOGIN message on WhatsApp. Messlo verifies their number; your backend confirms the token and creates your own session.
Lower cost than WhatsApp OTP
Cheaper than ₹0.115 Authentication OTP
Outbound WhatsApp OTP templates use Meta’s official Authentication rate for India (about ₹0.115 per verification in INR). Login with WhatsApp lets the user message you first—no Authentication OTP template—so you avoid that per-OTP charge. Messlo adds 0% markup on Meta fees.
Messlo platform cost per login
Plan prices convert to your selected currency. Allocated Messlo cost per login stays below Meta’s India Authentication OTP rate (₹0.115) at the included session cap.
At 10,000 logins/month (India): OTP Meta ≈ ₹1,150 vs Vyapar Messlo platform ≈ ₹200—about ₹950 less on platform fees alone (₹0.115 Meta Authentication benchmark).
At 10,000 logins/month in India, Authentication OTP Meta cost alone is about ₹1,150 (₹0.115 × logins). Login with WhatsApp avoids that OTP line item.
For India, OTP comparisons use ₹0.115 per verification as a typical Authentication OTP template benchmark—not Meta’s full published Authentication conversation rate, which can differ. Figures are illustrative only; your actual Meta invoice may vary by template, volume, and billing rules.
Meta Authentication rates from Meta’s rate card for India (INR). Messlo plan prices are billed in INR and converted using live FX. Messlo never marks up Meta WhatsApp fees. Logins above your plan session cap require an upgrade.
How it works
Five steps from your UI to a verified user on your server.
- 1Your app (start)POST /start → show waLink
- 2UserSends LOGIN code on WhatsApp
- 3Meta → MessloWebhook delivers message
- 4Your app (client)SSE verified → GET /status
- 5Your serverPOST /verify-token → your session
Official npm packages & demo
Ship Login with WhatsApp faster using our published SDKs. Your API key and webhook secret stay on the server; the client SDK calls your proxy routes only.
MESSLO_WA_LOGIN_API_KEY=your_api_key_from_messlo_dashboard
MESSLO_WA_LOGIN_WEBHOOK_SECRET=your_webhook_secret_from_app_create
MESSLO_API_BASE_URL=https://api.messlo.comimport { MessloNodeSdk, nextAdapter } from "@getmesslo/messlo-node-sdk";
const sdk = new MessloNodeSdk({
apiKey: process.env.MESSLO_WA_LOGIN_API_KEY!,
baseUrl: process.env.MESSLO_API_BASE_URL,
});
// app/api/auth/whatsapp-login/start/route.ts
export const POST = nextAdapter.startRoute(sdk);
// app/api/auth/whatsapp-login/status/[sessionId]/route.ts
export const GET = nextAdapter.statusRoute(sdk);
// app/api/auth/whatsapp-login/events/[sessionId]/route.ts
export const GET = nextAdapter.eventsRoute(sdk);import { useMessloWhatsAppLogin } from "@getmesslo/messlo-whatsapp-login/react";
const { startLogin, status, waLink, error } = useMessloWhatsAppLogin({
basePath: "/api/auth/whatsapp-login",
onVerified: async (verificationToken) => {
await fetch("/api/auth/session", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ verificationToken }),
});
},
});Code with AI
Copy a detailed prompt for Cursor, ChatGPT, or Claude. It includes Messlo docs links, the full API flow, and requires a server webhook handler with HMAC verification.
Create a Login app to embed your API key and webhook secret in the prompt. Create appor Sign In while signed in after creating an app in this session.
Which webhook do I set up?
There are three different channels — most confusion comes from mixing them up. You usually only configure one or two, not all three.
1. Meta → Messlo (automatic when WABA is connected in Messlo)
- Who calls whom
- Meta (Facebook) → Messlo API
- Example URL
- https://api.messlo.com/api/webhook/whatsapp
- When
- User sends the LOGIN message to your WhatsApp Business number.
- You configure
- Integrate WABA in Messlo (/integrate_waba). Messlo subscribes your WABA to our Meta app and sets the callback URL + verify token via API — you do not paste anything in Meta Console for the normal flow.
- You receive
- Nothing on your server — Messlo reads the message and marks the session verified.
- Skip if
- You chose Messlo shared number on the Login app, OR you only use Baileys (no Meta Cloud API). Manual Meta Console setup is only if auto webhook setup failed — use Retry webhook setup on WABA Phone Numbers.
2. Messlo → your frontend (recommended instead of polling)
- Who calls whom
- Your mobile/web app (browser EventSource) → Messlo API SSE stream
- Example URL
- GET /v1/auth/whatsapp/events/:sessionId?token={subscribeToken}
- When
- Right after POST /start — listen until event is verified.
- You configure
- No webhook URL. Use subscribeToken from /start in your client.
- You receive
- { "event": "verified", "sessionId": "..." } — then call GET /status once for verificationToken.
- Skip if
- You use your own server webhook (#3) or poll GET /status every 2s.
3. Messlo → your backend (optional)
- Who calls whom
- Messlo → Your HTTPS endpoint (or Messlo hosted URL)
- Example URL
- https://your-api.com/auth/messlo/whatsapp OR Messlo hosted: /api/whatsapp-auth/webhook/{appId}
- When
- After login succeeds — same moment as SSE verified.
- You configure
- Login with WhatsApp app → Edit → add Production/Staging webhook URL + save webhook secret.
- You receive
- POST body: event "whatsapp.auth.verified", session_id, phone, profile_name, verified_at. Header X-Messlo-Signature (HMAC). You still call POST /v1/auth/verify-token with the token from GET /status.
- Skip if
- Your app already uses SSE or polling and fetches verificationToken itself.
What you get at each step
| Step | Result |
|---|---|
| POST /v1/auth/whatsapp/start | sessionId, loginCode, waLink, subscribeToken, displayPhoneNumber, authAppName |
| User sends LOGIN on WhatsApp | Nothing yet — Messlo processes via Meta webhook (or Messlo shared inbox). |
| SSE event verified (or poll /status) | verificationToken (short-lived JWT, single-use) |
| POST /v1/auth/verify-token (your server) | { valid: true, user: { phone, name } } — then create YOUR session/JWT |
| Optional: your server webhook | whatsapp.auth.verified + phone + session_id (notification only; verify token separately) |
Set up in Messlo
One-time configuration in your Messlo account before writing code.
- 1
Create a Messlo account
Sign up at /auth/register (email form) or use Sign up with WhatsApp on the same page — we verify your number via the LOGIN message and create your account without a separate phone OTP.
Open in Messlo - 2
Connect WhatsApp Business (only if you use your own number)
OptionalSkip this if you use Messlo's shared number. Otherwise go to Integrate WABA, connect your account, and register your phone — Messlo automatically configures Meta webhooks for inbound messages (including LOGIN codes). No manual Meta Developer Console step in the happy path.
Open in Messlo - 3
Create a Login with WhatsApp app
Open Login with WhatsApp → Create app. Pick Web (Flutter SDK coming soon), choose Your WhatsApp Business or Messlo shared number, and optionally add server webhooks. Copy the API key and webhook secret — they are shown only once.
Open in Messlo - 4
If webhook auto-setup failed (rare)
OptionalAfter Integrate WABA, open WABA Phone Numbers and use Retry webhook setup. Only if that fails, copy the Messlo webhook URL and verify token from the Login with WhatsApp sidebar into Meta Developer Console → WhatsApp → Configuration.
Open in Messlo
Integrate on your server
Messlo verifies WhatsApp identity; you issue your own app session after validating the token.
- 1
Install official SDKs (recommended)
Backend: @getmesslo/messlo-node-sdk — Next.js/Express route adapters for start, status, SSE events, verify-token, and webhook HMAC. Frontend (React/Next.js): @getmesslo/messlo-whatsapp-login — hook + UI helpers that call your proxy routes. Full example: github.com/GetMesslo/nextjs-whatsapp-login-demo.
- 2
Start a login session
POST /v1/auth/whatsapp/start with your app's API key (X-API-Key), or use MessloNodeSdk.startWhatsAppLogin() via your proxy route. You receive sessionId, loginCode, waLink, and subscribeToken. Phone number is chosen per app in Messlo (your WABA or Messlo shared). Optional body use_messlo_phone overrides the app default for a single request.
- 3
Show the user a WhatsApp link or QR
Open waLink in the browser or render it as a QR code. The user must send the exact pre-filled LOGIN message from their WhatsApp app (same phone they want to verify).
- 4
Wait for verification (SSE recommended)
Open GET /v1/auth/whatsapp/events/:sessionId?token={subscribeToken} as Server-Sent Events. When you receive event verified, call GET /v1/auth/whatsapp/status/:sessionId once to fetch verificationToken. Alternatively poll status every 2 seconds until success or HTTP 410 expired.
- 5
Verify the token on your backend only
Never trust a phone number from the client. POST /v1/auth/verify-token with { token } using your API key. On valid: true you get user.phone and user.name. Issue your own JWT or session cookie.
Optional: server webhooks
Get notified on your backend when login completes — useful if you skip SSE.
- 1
Add webhook URLs in Messlo
In your Login app settings, add Production / Staging URLs or enable Messlo hosted webhook. Messlo POSTs event whatsapp.auth.verified with header X-Messlo-Signature (HMAC of raw body with your webhook secret).
Open in Messlo - 2
Verify the signature
Validate X-Messlo-Signature before trusting the payload. The verification token in the event is the same value you would get from GET /status — still call verify-token on your server before creating a session.
API endpoints
Authenticate every request with X-API-Key using the key from your Login app.
| Method | Endpoint | Purpose |
|---|---|---|
| POST | https://api.messlo.com/v1/auth/whatsapp/start | Start session → waLink, subscribeToken |
| GET | https://api.messlo.com/v1/auth/whatsapp/events/:sessionId?token=… | SSE: wait for verified |
| GET | https://api.messlo.com/v1/auth/whatsapp/status/:sessionId | Fetch verificationToken (after verified) |
| POST | https://api.messlo.com/v1/auth/verify-token | Validate token on your server |
Meta webhook (your WABA only): https://api.messlo.com/api/webhook/whatsapp
Copy-paste examples
curl -s -X POST 'https://api.messlo.com/v1/auth/whatsapp/start' \
-H 'Content-Type: application/json' \
-H 'X-API-Key: YOUR_APP_API_KEY' \
-d '{}'curl -s -X POST 'https://api.messlo.com/v1/auth/verify-token' \
-H 'Content-Type: application/json' \
-H 'X-API-Key: YOUR_APP_API_KEY' \
-d '{"token":"VERIFICATION_TOKEN_FROM_STATUS"}'Before going live
- Login app created and API key stored securely
- Phone source chosen (your WABA or Messlo shared)
- WABA connected in Messlo (webhook auto-setup) if using your own number
- verify-token called only on your backend
- SSE or webhooks wired — avoid tight polling in production
FAQ
- How does cost compare to WhatsApp OTP (Authentication templates)?
- In India, Meta’s Authentication conversation rate is about ₹0.115 per outbound OTP verification. Login with WhatsApp avoids that template: the user sends a LOGIN message to you (user-initiated), so you are not billed an Authentication OTP per login. Messlo does not charge ₹0.115 per verification on the platform—login sessions are included in your plan. You still pay Meta at official rates for the conversation category that applies; we add 0% markup.
- Do I need my own WhatsApp Business Account?
- No. Choose Messlo shared number on your Login app and users message Messlo's line — no WABA on your account. If you choose Your WhatsApp Business, connect WABA once under Integrate WABA; Messlo configures Meta webhooks for you automatically.
- Can I override the phone per API call?
- Yes. Each app stores a default (use_messlo_phone on the app). For a single start request you may pass use_messlo_phone in the JSON body to override that default.
- Why does login work on production but not localhost?
- Meta sends webhooks to your public Messlo API URL (e.g. api.messlo.com), not to localhost. Use a deployed API or Messlo's dev tools for local testing.
- How long is a session valid?
- About 10 minutes. Poll or SSE will return expired after that; start a new session if the user did not send the message in time.
- Should I use the SDK or raw REST?
- Use @getmesslo/messlo-node-sdk on your backend and @getmesslo/messlo-whatsapp-login on React/Next.js frontends. They implement the same flow documented below (start → SSE or poll → verify-token) with typed helpers and Next.js/Express route adapters. Raw cURL is still fine for debugging.
- Where is the example project?
- Clone https://github.com/GetMesslo/nextjs-whatsapp-login-demo for a complete Next.js App Router app with proxy routes, webhook verification, and UI.
Share this guide: https://messlo.com/developers/login-with-whatsapp
Interactive API reference
Try endpoints with cURL examples and field-level documentation.
Open Login with WhatsApp API reference →