hub WhatsApp Gateway
Sign In View Docs

Security

Security & Responsible Messaging

Controls for API access, webhook delivery, customer isolation, opt-outs, and responsible transactional messaging.

Signed Webhooks

Webhook events can be verified by your receiving system

WhatsApp Gateway signs selected customer webhook events with timestamped HMAC headers and blocks unsafe destination URLs.

Webhook signing and URL safety diagram

API Security

  • API keys are shown once after creation.
  • API keys are stored as hashes.
  • Revoked keys are rejected.
  • API keys are scoped to the customer account.

Webhook Security

  • Customer webhooks support signing.
  • Webhook requests include timestamp and signature headers when a signing secret is configured.
  • Signing secrets are shown once after generation or rotation.
  • Delivery logs are available for sent, failed, and blocked attempts.

URL Safety / SSRF Protection

  • Customer webhook URLs are validated before use.
  • Localhost, private, internal, and metadata URLs are blocked.
  • HTTPS is required in production.
  • Redirects are disabled for outbound webhook delivery.

Dashboard Protection

  • Normal customer and admin forms use CSRF protection.
  • Role-based access protects admin-only routes.
  • MFA support may be enabled for administrator and customer account protection where available.
  • Customer data is isolated by account.
  • Customers cannot access admin settings.

Responsible Messaging Guard

  • Message purpose validation is enforced.
  • Daily and monthly limits are applied.
  • Velocity and risk checks help reduce misuse.
  • Suppression checks, policy events, pause controls, and review controls are available.

Opt-out / Suppression Handling

  • STOP and opt-out style messages can be detected.
  • Suppressed recipients are tracked.
  • Non-essential messages to suppressed recipients are blocked.

Admin Monitoring

  • Inbound logs, send logs, customer webhook logs, 3CX logs, policy events, suppressed recipients, and failed deliveries are available to admins.
Strict Use Policy

No Marketing / Cold Outreach

Marketing campaigns, cold outreach, bulk campaigns, spam, scraped lists, political messaging, fraud, impersonation, phishing, and harmful links are not allowed.

WhatsApp Gateway is an independent integration service and is not affiliated with, endorsed by, or officially connected to WhatsApp, Meta, 3CX, or their related companies.