How to Configure OpenClaw for WhatsApp: Your AI Agent in Your Pocket
WhatsApp has 2B+ monthly users and is the default messaging app in 180+ countries. Connecting OpenClaw to WhatsApp via Meta's Cloud API turns your AI agent into a pocket assistant you text from anywhere. Here's the full configuration with security hardening.
WhatsApp has 2+ billion monthly active users (Statista 2025). It’s the default messaging app in 180+ countries. It’s where 67% of C-suite executives check their phone within 3 minutes of waking up per Deloitte’s 2025 Digital Workplace Survey. And it’s the single most-requested channel for OpenClaw agents across 150+ beeeowl deployments. The “Can I just text it?” question is the one every executive asks after their first demo. Meta’s Cloud API is the modern path to doing that — free for up to 1,000 business-initiated conversations per month, which is more than enough for a single executive’s agent. This guide walks through the full configuration: Meta Business provisioning, webhook setup, SHA-256 signature verification, number allowlisting, rate limiting, and the natural-language commands real executives use. PwC’s 2025 Global CEO Survey found 79% of CEOs would use AI more if it integrated with tools they already use daily. WhatsApp is that tool.
Why is WhatsApp the most-requested OpenClaw channel?
Because it’s where executives already live, and adding a new app to their workflow is the friction that kills most AI tool adoption. WhatsApp has 2+ billion monthly active users globally (Statista 2025), making it the default messaging app in 180+ countries. Connecting your OpenClaw agent to WhatsApp means you can delegate tasks, pull reports, and trigger workflows from the same app you use to text your family — no extra dashboards, no browser tabs, no laptop required, no new notification stream to learn to check.
We’ve deployed OpenClaw for 150+ executives across the US and Canada. The number one question after the first demo is always the same: “Can I just text it?” Yes. And this is exactly how.
Deloitte’s 2025 Digital Workplace Survey found that 67% of C-suite executives check their phone within 3 minutes of waking up. Having your AI agent available at that moment — before you’ve opened your laptop, before you’ve had coffee, before you’ve even gotten out of bed — changes the dynamic completely. The morning briefing we covered in how to build an AI executive briefing agent becomes a WhatsApp message rather than an email you have to open separately. The friction difference between “open the WhatsApp thread you already have open” and “open a new app you forgot to download on your phone” is the entire adoption story in a nutshell.
What does an OpenClaw WhatsApp conversation actually look like?
Before we get into the technical setup, let’s ground this in reality. Here’s what a typical morning looks like when your AI agent lives in WhatsApp — this is a real interaction pattern from a client deployment (anonymized):
You: What's on my calendar today?
Agent: You have 4 meetings today:
9:00 AM — Board prep sync (Sarah, Mike, David)
11:30 AM — Investor call with Sequoia (Andrew Chen)
2:00 PM — Engineering review (CTO + leads)
4:30 PM — 1:1 with CFO (quarterly close)
Your 9 AM has a deck attached. Want me to summarize it?
You: Yes, and pull background on Andrew Chen before the 11:30
Agent: Done. Board deck summary:
- Revenue up 23% QoQ
- Burn rate decreased to $410K/mo
- Series B timeline moved to Q3
Andrew Chen background sent as a separate message.
Want me to draft talking points for the Sequoia call?That’s not a mockup — it’s a real interaction pattern from a beeeowl client deployment. The agent pulls from Google Calendar via Composio’s OAuth integration, retrieves attachments from Google Drive, runs background research through web search tools, and drafts prep content through the same LLM the briefing agent uses. See the full integration story in connecting OpenClaw to Gmail, Calendar, and Slack via Composio.
According to McKinsey’s 2025 State of AI report, executives spend an average of 23 hours per week on administrative coordination. WhatsApp access cuts the friction of every single one of those interactions down to a text message — and the cumulative time saved is the whole ROI story for executive AI agents.
What do I need before starting?
Here’s what’s required for a WhatsApp-to-OpenClaw connection. If you’re a beeeowl client, we handle all of this during your deployment — but understanding the pieces helps if you want to scope the project internally or evaluate a DIY build.
Prerequisites:
- A running OpenClaw instance (hosted or hardware)
- A Meta Business account (business.facebook.com)
- A WhatsApp Business API phone number (separate from your personal WhatsApp — this is mandatory)
- A registered app in Meta’s Developer Portal (developers.facebook.com)
- A webhook endpoint accessible from the internet via HTTPS (Meta will not send to HTTP URLs)
- A verify token and permanent System User access token from Meta
- A valid TLS certificate on your webhook domain (Let’s Encrypt works fine)
Meta’s Cloud API is the recommended path. It’s free for up to 1,000 business-initiated conversations per month (Meta Business pricing, 2025), which is more than enough for a single executive’s agent — even if they text the agent 30+ times a day, user-initiated conversations (which start from you texting the agent) don’t count against the business-initiated limit. Cloud API replaced the older on-premise API in 2023 and is now the standard for all new integrations. The on-prem API is still supported but being deprecated, so starting with Cloud API is the right call regardless.
How do I set up the Meta Cloud API?
The Meta Cloud API is WhatsApp’s official way to send and receive messages programmatically. Here’s the step-by-step setup we run for every beeeowl deployment that includes WhatsApp as a channel.
Step 1 — Create the Meta app. Head to Meta’s Developer Portal and create a new app. Select “Business” as the type. Add the WhatsApp product to the app. Meta will provision a test phone number automatically — you’ll swap this for your permanent production number later.
# After app creation, grab these from the Meta Developer Dashboard:
export WHATSAPP_PHONE_NUMBER_ID="your_phone_number_id"
export WHATSAPP_BUSINESS_ACCOUNT_ID="your_business_account_id"
export WHATSAPP_ACCESS_TOKEN="your_permanent_token"
export WHATSAPP_VERIFY_TOKEN="your_custom_verify_string"
export WHATSAPP_APP_SECRET="your_meta_app_secret"One thing that trips up most DIY deployers: the access token from the dashboard is temporary (24 hours). You need to generate a permanent System User token through Meta Business Settings — specifically Business Settings > Users > System Users > Add > Generate New Token, scoped to the WhatsApp Business Management and Messaging permissions. Forrester’s 2025 API Integration report found that 34% of WhatsApp integration failures come from expired tokens. Don’t skip this step. If you wake up tomorrow and your agent has stopped responding to texts, a temporary token is the first place to look.
Step 2 — Configure the webhook. WhatsApp sends inbound messages to your server via webhooks. Your OpenClaw instance needs a public HTTPS endpoint that Meta can reach. Here’s the webhook configuration for your OpenClaw environment file:
# openclaw-config.yaml — WhatsApp Channel Configuration
channels:
whatsapp:
enabled: true
provider: meta-cloud-api
phone_number_id: "${WHATSAPP_PHONE_NUMBER_ID}"
business_account_id: "${WHATSAPP_BUSINESS_ACCOUNT_ID}"
access_token: "${WHATSAPP_ACCESS_TOKEN}"
verify_token: "${WHATSAPP_VERIFY_TOKEN}"
webhook_path: "/channels/whatsapp/webhook"
message_handling:
auto_read_receipts: true
typing_indicator: true
max_response_length: 4096The webhook verification follows Meta’s standard challenge-response pattern. When you register the webhook URL in the Developer Portal, Meta sends a GET request with a challenge string. Your server echoes it back, proving ownership of the endpoint:
# Test webhook verification locally before deploying
curl -X GET "https://your-openclaw-domain.com/channels/whatsapp/webhook?\
hub.mode=subscribe&\
hub.verify_token=your_custom_verify_string&\
hub.challenge=test_challenge_123"
# Expected response: test_challenge_123If the verification fails, Meta won’t let you register the webhook. 90% of failed verifications are caused by the verify token in the Developer Portal not matching the one in your environment variables — a simple string mismatch that’s easy to miss.
Step 3 — Handle inbound messages. Once the webhook is verified, inbound messages arrive as POST requests. OpenClaw’s WhatsApp channel handler parses the payload, routes it to the Gateway, processes the intent through the agent runtime, and returns the agent’s response through Meta’s Send Message API. Here’s what an inbound payload looks like:
{
"object": "whatsapp_business_account",
"entry": [
{
"id": "BUSINESS_ACCOUNT_ID",
"changes": [
{
"value": {
"messaging_product": "whatsapp",
"metadata": {
"phone_number_id": "PHONE_NUMBER_ID"
},
"messages": [
{
"from": "15551234567",
"id": "wamid.abc123",
"timestamp": "1711612800",
"text": {
"body": "Summarize my inbox"
},
"type": "text"
}
]
}
}
]
}
]
}The agent processes that “Summarize my inbox” request through the Email Triage skill, connects to Gmail or Outlook via Composio’s OAuth layer, runs the summary through the LLM, and sends the response back through WhatsApp — all within 3-5 seconds end to end. That latency is dominated by LLM inference time, not by WhatsApp API overhead.
How do I secure the WhatsApp connection?
Security isn’t optional when you’re running an AI agent that can access your email, calendar, CRM, and financial data. WhatsApp adds a mobile attack surface that doesn’t exist with Slack or a web interface, and the default Meta Cloud API setup doesn’t lock down enough of it automatically. Here’s what we lock down in every beeeowl deployment.
Signature verification on every webhook. Every inbound webhook from Meta includes a SHA-256 signature in the X-Hub-Signature-256 header. Your OpenClaw instance should verify this signature against your app secret before processing any message. Without this check, an attacker who discovers your webhook URL could send forged payloads that the agent would process as if they were real Meta webhooks.
# Security hardening in openclaw-config.yaml
channels:
whatsapp:
security:
verify_signatures: true
app_secret: "${WHATSAPP_APP_SECRET}"
allowed_numbers:
- "${WHATSAPP_ALLOWED_NUMBERS}"
rate_limit:
max_messages_per_minute: 30
max_messages_per_hour: 500
ip_allowlist:
- "157.240.0.0/16" # Meta's IP range
- "179.60.192.0/22" # Meta's IP rangeNumber allowlisting. The allowed_numbers field is critical. Without it, anyone who discovers your WhatsApp Business number could send commands to your agent. We whitelist only the executive’s phone number and, if applicable, their EA’s number. Every other sender gets rejected at the Gateway before the message ever reaches the agent runtime. This is the single most important security control in the WhatsApp channel configuration because your Business Number will eventually end up on some contact list somewhere, and you don’t want the wrong contact to be able to query your calendar.
IP allowlisting at the firewall. Meta publishes its outbound webhook IP ranges, and you can restrict your webhook endpoint to accept traffic only from those ranges. This is defense in depth — if someone forges a webhook and somehow gets past the signature check, the firewall still rejects them because the source IP isn’t Meta’s.
Rate limiting. Default of 30 messages per minute and 500 per hour per authorized sender. This protects against runaway loops in the agent (if it somehow gets into a back-and-forth with itself through a bug) and against malicious flooding.
End-to-end encryption nuance. WhatsApp uses the Signal Protocol for end-to-end encryption on consumer messages. But here’s the nuance that matters: WhatsApp Business API messages are encrypted in transit (TLS 1.3) and at rest on Meta’s servers, but Meta can technically access business message content for policy enforcement. This is per Meta’s own WhatsApp Business API documentation (2025). For executives handling sensitive deal flow or board communications, we recommend pairing WhatsApp with beeeowl’s Private On-Device LLM add-on ($1,000). With this configuration, your prompts and the LLM’s reasoning never leave your hardware — not even to OpenAI or Anthropic’s servers. WhatsApp becomes a thin transport layer, and the actual intelligence runs locally on the Mac Mini sitting in your office or the MacBook Air in your bag. See running a private LLM with Ollama for the full on-device architecture.
According to IBM’s 2025 Cost of a Data Breach report, the average executive-level data breach costs $4.88 million. A $1,000 on-device LLM add-on is insurance that pays for itself the first time you text your agent about an acquisition target.
Which messaging channel should I actually use?
WhatsApp is the most popular request, but it’s not the only option. Here’s how the main channels compare for executive use, based on 150+ deployments we’ve shipped.
| Feature | Telegram | Slack | iMessage | |
|---|---|---|---|---|
| Global users | 2B+ (Statista) | 900M+ (Telegram, 2025) | 44M+ (Salesforce) | 1.3B+ Apple devices |
| End-to-end encryption | Yes (Signal Protocol) | Optional (Secret Chats) | No (enterprise TLS) | Yes (iMessage protocol) |
| Business API available | Yes (Meta Cloud API) | Yes (Bot API, free) | Yes (Slack API) | No official API |
| File sharing | Up to 2GB | Up to 2GB | Up to 1GB (free tier) | 100MB practical limit |
| Message formatting | Basic (bold, italic) | Full Markdown | Full Markdown + blocks | None |
| Setup complexity | Medium (Meta approval) | Low (instant BotFather) | Low (workspace admin) | High (requires Apple relay) |
| Response latency | 200-400ms API overhead | 50-100ms | 100-200ms | 500ms+ (relay overhead) |
| Best for | Mobile-first executives | Privacy-focused users | Team-integrated workflows | Apple ecosystem users |
In our experience, most executives pick two channels. The most common combination is Slack for desktop work and WhatsApp for mobile. Telegram is a strong alternative for executives who prioritize privacy — its Bot API requires no business approval process, and Secret Chats offer client-to-client encryption. The trade-off is smaller adoption in North America — Statista reports Telegram’s US user base at 26 million versus WhatsApp’s 98 million (2025). iMessage is the white whale — Apple doesn’t offer an official business messaging API, so OpenClaw’s iMessage integration relies on a relay running on the same Mac hardware as your agent. It works well for Mac Mini and MacBook Air deployments but isn’t available for hosted setups.
What are the most useful WhatsApp commands?
Once your agent is live on WhatsApp, these are the command patterns our clients use most frequently. They’re not rigid syntax — the agent understands natural language and handles variations — but these patterns give you an idea of what’s possible and what the response format looks like.
Inbox management:
You: Summarize my inbox
Agent: 47 emails since yesterday. Here's the breakdown:
Urgent (3): Legal review request from Wilson Sonsini,
board vote deadline from Sarah, investor term sheet from a16z
Needs response (8): [list]
FYI only (36): newsletters, notifications, automated reports
Want me to draft responses to the urgent ones?Meeting prep:
You: Prep me for the 2pm
Agent: Your 2:00 PM is Engineering Review with CTO + 4 leads.
Agenda: Q2 roadmap, hiring pipeline, infra costs
Last meeting notes: Agreed to hire 3 senior engineers,
migrate to AWS us-east-2, reduce CI build time by 40%
Open items: No update on the CI migration since March 12
Key metric: Engineering velocity dropped 12% last sprint.
Likely topic of discussion.Financial quick-pulls:
You: Pull the latest revenue numbers
Agent: March 2026 (MTD through 3/27):
MRR: $2.14M (+6.2% vs Feb)
ARR run rate: $25.7M
Net new customers: 34
Churn: 1.8% (down from 2.1% in Feb)
Source: Stripe dashboard, synced 15 min ago.
Want the full P&L summary or just the revenue breakdown?Quick delegation:
You: Tell Sarah the investor deck is ready for her review
Agent: Sent to Sarah via Slack DM with a link to the deck.
She's read but not replied yet.
I'll let you know when she responds.These aren’t scripted responses. The agent connects to Gmail, Google Calendar, Salesforce, Stripe, HubSpot, and 250+ other tools through Composio’s MCP integrations. According to Gartner’s 2025 AI Agent Market Guide, organizations that connect AI agents to five or more enterprise tools see a 3.2x increase in executive adoption compared to standalone deployments. The WhatsApp channel is the delivery layer; Composio is what makes it powerful. See our deep-dive on MCP protocol.
How does beeeowl handle all of this?
If you’ve read this far and thought “I don’t want to configure Meta’s Developer Portal myself” — that’s the whole point. Every beeeowl deployment includes full WhatsApp channel setup as part of the standard package, across every tier. Here’s exactly what we do during your one-day deployment:
- Provision your WhatsApp Business number — we handle Meta Business verification, phone number registration, and the business display name approval
- Configure the Cloud API — app creation in the Developer Portal, permanent System User token generation, webhook registration with challenge/response verification
- Security hardening — SHA-256 signature verification, number allowlisting (we explicitly whitelist your executive’s phone and their EA if applicable), IP allowlisting at the firewall, rate limiting at 30 msg/min and 500/hr, request logging for audit
- Skill mapping — connecting your most-used workflows (inbox triage, calendar checks, CRM pulls, financial summaries) to natural language triggers so the agent understands “prep me for the 2pm” without a rigid command syntax
- Testing — we send and receive test messages from your actual phone number before handoff, including edge cases like long responses, file attachments, and failure modes
- Backup channel — we configure at least one additional channel (usually Slack) as a fallback so if Meta has an outage, your agent is still reachable
The WhatsApp setup is included in every tier — Hosted ($2,000), Mac Mini ($5,000), and MacBook Air ($6,000). No extra charge. For executives who want the maximum security configuration, the Private On-Device LLM add-on ($1,000) keeps all AI processing on your hardware while still using WhatsApp as the messaging layer.
According to a 2025 PwC Global CEO Survey, 79% of CEOs said they’d use AI more if it integrated with tools they already use daily. WhatsApp is that tool. We’ve seen it cut the average time-to-first-interaction from 3 days (for web dashboard deployments) to 4 minutes (for WhatsApp after deployment ships). Once you’ve texted your agent once, you keep texting it — because the friction is zero. See our one-day deployment guide for the full playbook.
What are the limitations I should know about?
We don’t oversell. WhatsApp has real constraints you should be aware of before committing to it as your primary channel.
Meta’s 24-hour messaging window. After a user messages your agent, you have 24 hours to respond freely. After that, you can only send pre-approved template messages. This rarely matters in practice — executives text their agent multiple times per day — but it means the agent can’t proactively reach out after a long silence without using a template. Morning briefings work because you text first (“briefing?”) or because we schedule them as approved templates.
Message length limits. WhatsApp caps messages at 4,096 characters. Long reports get truncated, though OpenClaw’s WhatsApp channel handler automatically splits multi-part messages for longer outputs. A 10-page financial summary is better delivered as a PDF attachment than a text wall — the agent supports that.
No voice input processing (yet). WhatsApp lets you send voice notes, but OpenClaw’s current WhatsApp channel handler processes text only. Voice note support via OpenAI Whisper integration is on our roadmap for Q3 2026.
Rate limiting at Meta’s tier. Meta enforces rate limits on the Cloud API — 80 messages per second for standard tier, 1,000 for high-throughput. For a single executive, this is never an issue. For multi-agent enterprise deployments with 20+ users, we provision accordingly and request the higher tier if needed.
Business Manager verification can take days. If Meta flags your business for additional review (which happens occasionally for certain industries or business types), the phone number provisioning can take 3-5 business days instead of same-day. We build this into the timeline when it applies.
How do I get started?
If you’re already a beeeowl client, reach out and we’ll add WhatsApp to your existing deployment — typically a 2-hour configuration session that we handle remotely. If you’re new to beeeowl, WhatsApp support is included in every deployment package. We’ll have your AI agent responding to texts on day one. No Meta Developer Portal headaches, no webhook debugging, no token expiration surprises at 3 AM.
The fastest path from “I want this” to “I’m texting my AI agent” is one week. That’s provisioning, configuration, security hardening, testing, and shipping — all handled by our team end-to-end. Request your deployment and we’ll configure WhatsApp as your primary channel from the start. For the full pricing breakdown, see our pricing page, and for role-specific workflow examples you can text your agent about, see our use cases page.
