WhatsApp has become one of the most popular messaging apps with over 2 billion active users worldwide. For developers and businesses, the WhatsApp API provides an opportunity to integrate WhatsApp functionality into their own apps and systems. However, one challenge developers face is that the WhatsApp API tokens expire after 90 days. So how can you get a permanent API token that doesn’t expire?
What is a WhatsApp API token?
The WhatsApp API uses tokens to authenticate requests. A token is an alphanumeric string that allows you to make requests to the WhatsApp API without needing to embed your username and password in each request. Tokens are issued by WhatsApp and have a validity period of 90 days.
Here are some key things to know about WhatsApp API tokens:
- Tokens are generated per Business Account registered with WhatsApp Business API.
- Each token can only be used for one purpose – messaging, media, phone number registration etc.
- Tokens have a validity period of 90 days after which they expire.
- Expired tokens cannot be renewed or reused. You need to generate a new token.
- There is no limit on the number of tokens you can generate for an account.
So in summary, the WhatsApp API uses tokens for authentication that are only valid for 90 days. There are no permanent tokens.
Why WhatsApp API tokens expire
There are a few reasons why WhatsApp has set tokens to expire after 90 days:
- Security – Expiring tokens help improve security by limiting the validity period. This reduces the risk of tokens getting stolen or compromised.
- Force re-validation – Expiring tokens require developers to come back and re-authenticate periodically. This allows WhatsApp to re-validate the application and ensure compliance with latest policies.
- Cleaner state – Expired tokens get cleaned up automatically. This avoids accumulation of unused tokens over time and keeps the state tidy.
- Breaks inactive apps – Apps that are no longer being used will stop working after the token expires. This prevents inactive apps from accessing the API.
So in summary, expiring tokens are a security best practice and allow WhatsApp to manage their API access and credentials more tightly.
Options for dealing with expiring WhatsApp API tokens
Since the WhatsApp API tokens inevitably expire after 90 days, developers need a strategy to deal with this. Here are some options:
1. Regenerate new tokens programmatically
The best option is to programmatically generate a new token before an existing one expires. Most WhatsApp API client libraries provide methods to generate new tokens. You can call these methods on a periodic basis, like every 80 days, to proactively get a fresh token.
2. Store refresh token and reuse
Another approach is to store the refresh token returned while generating the actual API token. The refresh token has a longer validity of up to 1 year. You can reuse the refresh token to generate new API tokens when existing ones expire.
3. Notify developers to manually refresh
For simpler use cases, you can have a process to notify developers when their API token is about to expire. This reminder can be sent out 75 days after issuance, allowing sufficient time for them to manually generate a new token.
4. Handle authentication failures gracefully
Your application code should expect and handle scenarios where the API token has expired and the request fails authentication. Gracefully generate a fresh token and re-initialize the API when this happens.
So in summary, automate token refreshing, reuse refresh tokens, send expiry reminders, and handle failures properly within your app to deal with expiring WhatsApp tokens.
How to generate a new WhatsApp API token
Generating a new WhatsApp API token is simple and straightforward. Here are the steps:
- Login to your WhatsApp Business Account at www.whatsapp.com/business.
- Go to the WhatsApp Business API section.
- Click on ‘Create Token’.
- Choose the type of token you need – messaging, media, phone registration etc.
- Give this token a name for reference.
- Click ‘Create’.
- The new token will be generated and displayed.
- Copy and save this token as it will only be displayed once.
To generate tokens programmatically, you can use the WhatsApp Business API SDKs for various languages like NodeJS, Python, Java etc. These provide simple methods to call the token generation API.
Make sure to store the tokens securely in your app and not expose them in code or logs. Handle tokens safely just like you would handle passwords.
Best practices for managing WhatsApp API tokens
Here are some recommended practices for securely managing WhatsApp API tokens:
- Store tokens in encrypted form using credentials management tools like AWS Secrets Manager, HashiCorp Vault etc.
- Never store tokens directly in code or configuration files. Refer to them via variables.
- Have an automated rotation process to generate fresh tokens at least every 60 days.
- Monitor token expiry dates and set reminders for developers.
- Plan for failure scenarios where a token may suddenly become invalid.
- Limit access to tokens only for authorized admin users.
- Pass tokens at runtime rather than embedding them in clients like mobile apps.
- Have secure backups of tokens to recover from loss scenarios.
Adopting these practices will help you securely manage WhatsApp API tokens and minimize disruption from expiries.
Frequently Asked Questions
Can I extend the 90 day validity of a WhatsApp API token?
No, there is no way to extend the validity of an existing WhatsApp API token beyond 90 days. You have to generate a fresh new token once the old one expires.
How many active tokens can I have for one WhatsApp business account?
There is no predefined limit set by WhatsApp on the number of active tokens you can have. You can create as many tokens as needed for different purposes like messaging, media, phone registration etc.
Is there any way I can get a long-lived or permanent WhatsApp API token?
No, all WhatsApp API tokens are designed to expire after 90 days. There is no permanant token or way to get a longer validity than 90 days due to security and compliance reasons.
Can I reuse an expired WhatsApp API token?
No, once a WhatsApp API token expires after 90 days, it cannot be renewed or reused. You have to go through the process of generating a fresh new token.
What happens if my token expires while sending a WhatsApp message?
If your WhatsApp API token expires while your app is trying to send a message, it will result in an authentication error. Your app should catch this failure and automatically try refreshing the token and resending the message.
Conclusion
WhatsApp API tokens provide authenticated access to the WhatsApp Business API, but have a limited lifetime of only 90 days. While you cannot get permanent tokens, you can proactively generate new tokens and implement failure handling in your app to deal with expiries. Using best practices like secure storage, rotation, and monitoring will help minimize disruptions.
By understanding the WhatsApp token mechanism and having a robust strategy to manage expiries, you can build stable apps that use the WhatsApp Business API to its full potential.