A WhatsApp webhook receiver that drops messages costs the business directly. Inbound conversations are revenue. Status updates drive billing reconciliation. Quality events trigger campaign auto-pause. Engineering teams running WhatsApp on Meta Cloud API in 2026 need a webhook architecture that is idempotent, signature-verified, retry-safe, and queue-buffered. This guide is the production-grade webhook stack — Meta delivery semantics, signature verification, idempotency keys, the 3-second response budget, async processing patterns, retry configuration, and the failure modes that lose messages in the Indian production environment.
Meta's Webhook Delivery Semantics
Meta posts every event (messages, statuses, account_update, message_template_status_update) to your registered webhook URL via HTTPS POST with a JSON body. Meta expects a 2xx response within 3 seconds. If your endpoint returns 4xx, 5xx, or times out, Meta retries with exponential backoff over the next 7 days before dropping the event. During retry, the same event may arrive multiple times — your handler must be idempotent or you risk double-processing.
The Five Hard Requirements
- Signature verification. Validate the X-Hub-Signature-256 header against your APP_SECRET. Reject unsigned events to prevent webhook spoofing.
- 3-second response. Acknowledge with HTTP 200 within 3 seconds. Push processing to a background queue. Synchronous processing inside the webhook handler is the #1 cause of dropped events.
- Idempotency. Use Meta's message id (wamid) or status id as a unique key. Track processed events in Redis or a deduplication table. Re-processing duplicates leads to double-billing, double-replies, and broken state.
- Retry tolerance. Meta retries failed events. Your queue worker must handle the same event arriving 1, 2, or N times without side effects.
- Observability. Log every webhook receipt with timestamp, event type, message id, and processing duration. Without logs you cannot debug message-loss incidents.
Reference Architecture
Meta Cloud API
│ POST /webhooks/whatsapp
▼
[Nginx / Cloudflare]
│ TLS, request size limit
▼
[Webhook Receiver] ────► verify X-Hub-Signature-256
│ persist raw payload
│ return 200 within 3s
▼
[Redis Queue: high-priority]
│
▼
[Queue Worker] ────► dedupe by wamid via SETNX
│ dispatch to typed handler:
│ - InboundMessageHandler
│ - MessageStatusHandler
│ - AccountUpdateHandler
│ - TemplateStatusHandler
│ emit business events
│ update DB + cache
▼
[Realtime broadcast via Echo / WebSockets]
[Billing service]
[Flow execution service]Signature Verification (PHP / Node Examples)
PHP (Laravel)
$signature = $request->header('X-Hub-Signature-256');
$payload = $request->getContent();
$expected = 'sha256=' . hash_hmac('sha256', $payload, env('META_APP_SECRET'));
if (!hash_equals($expected, $signature ?? '')) {
abort(403, 'Invalid signature');
}Node.js (Express)
const signature = req.headers['x-hub-signature-256'];
const expected = 'sha256=' + crypto
.createHmac('sha256', process.env.META_APP_SECRET)
.update(req.rawBody)
.digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
return res.status(403).send('Invalid signature');
}The 3-Second Response Pattern
Inside the webhook controller, do four things only: verify signature, persist the raw payload to a webhook log table, push a job onto Redis queue, return 200. Everything else — message parsing, billing, broadcasting, flow execution — runs asynchronously in the queue worker.
Get a 1-minute BSP audit on WhatsApp
Drop your WhatsApp number — we line-item your current invoice against Meta India rates in under 60 seconds. India-hosted, DPDP-compliant.
// Laravel controller
public function handle(Request $request)
{
$this->verifySignature($request);
WebhookLog::create([
'received_at' => now(),
'payload' => $request->all(),
]);
ProcessWhatsappInbound::dispatch($request->all())->onQueue('high');
return response('OK', 200);
}On RichAutomate the WebhookController follows exactly this pattern. The ProcessWhatsappInbound job parses the payload, dispatches typed handlers, and updates state — all outside the 3-second budget.
Idempotency Patterns
Every Meta event carries a unique identifier. Inbound messages have wamid. Status updates have status-specific ids. Template events have template ids. Use Redis SETNX with a 7-day TTL to dedupe:
$key = 'webhook:processed:' . $eventId;
$isFirst = Redis::set($key, 1, 'EX', 604800, 'NX');
if (!$isFirst) {
Log::info('Duplicate webhook event', ['id' => $eventId]);
return; // already processed
}
// proceed with processingFor higher durability use a dedupe table with a unique index on event id and an INSERT IGNORE pattern. Slower than Redis but survives Redis flush.
Queue Worker Configuration
| Setting | Recommended value | Why |
|---|---|---|
| Workers per server | 4–8 | Saturate CPU without thrashing Redis connections |
| Queue driver | Redis | Sub-millisecond enqueue, durable enough with AOF |
| Job timeout | 30s | Single inbound shouldn't take longer; longer = bug |
| Tries | 5 | Retry transient DB and downstream failures |
| Backoff | [2, 5, 15, 60, 300] seconds | Progressive — gives downstream time to recover |
| Failed job handler | Mark as failed, alert | Manual review for unrecoverable events |
Indian Production Failure Modes
- Cloudflare 403 to Meta IPs. Cloudflare WAF or Bot Fight Mode can block legitimate Meta webhook posts. Whitelist Meta crawler IPs and disable bot challenges on the webhook path specifically.
- Nginx body size limit. WhatsApp media notifications can exceed default 1MB. Set
client_max_body_size 4Mon the webhook location block. - Synchronous DB write inside webhook. A slow DB query inside the webhook handler causes 3-second timeout, Meta retries, you process the event twice. Move to queue.
- Redis eviction policy. If your Redis is configured with an eviction policy that drops keys under memory pressure, your idempotency keys can disappear and you re-process events. Use a separate dedupe Redis or an in-DB table.
- TLS certificate expiry. Auto-renew certificates. A 7-day Let's Encrypt expiry that nobody renewed is a classic source of silent webhook drops.
- Too aggressive rate limiting. Rate-limiting the webhook path triggers 429 responses, which Meta interprets as failure and retries. Whitelist the webhook from any application-layer rate limit.
Observability Stack
- Log every webhook with timestamp, event type, message id, processing duration.
- Alert on processing duration > 1 second (warning) or > 3 seconds (critical).
- Alert on signature verification failure spike — could indicate APP_SECRET rotation needed.
- Alert on duplicate event rate > 5% — indicates idempotency issue or Meta retries.
- Dashboard showing webhook receipt rate, queue depth, processing latency, and failed job count.
Testing the Webhook in Staging
- Use Meta's webhook test tool in Business Manager to simulate event types.
- Use ngrok or Cloudflare Tunnel to expose local dev to Meta test posts.
- Replay production webhook logs through staging to catch regressions before deploy.
- Load test with 100+ webhooks per second to confirm queue can absorb bursts.
Production-grade webhook ships on RichAutomate.
Signature verification, queue-buffered async processing, idempotency keys, observability dashboard. Proven across Indian D2C, fintech, and EdTech production loads.