Control Plane and Runtime Responsibilities
- Dashboard Mantap! (control plane): project setup, API key management, and device onboarding actions.
- WA Gateway (runtime plane): direct messaging API, webhooks, media retrieval, and message lifecycle events.
- Internal Mantul integration: engineer uses
device_id-only calls while mapping and auth resolution are performed server-side.
Runtime API Surface
POST /devices,GET /devices,DELETE /devices/{device_id},POST /devices/{device_id}/qr,POST /devices/{device_id}/disconnectPOST /devices/{device_id}/messages,GET /devices/{device_id}/messagesGET /devices/{device_id}/groups,GET /devices/{device_id}/profile?jid=...,GET /devices/{device_id}/presence?jid=...GET /media?path=...,GET /health
Outbound Message Capability Matrix
| Type | Supported | Main Fields |
|---|---|---|
text | Yes | to, text |
image | Yes | to, url or data_base64, mime_type, caption (optional) |
video | Yes | to, url or data_base64, mime_type, caption (optional) |
audio | Yes | to, url or data_base64, mime_type, ptt (optional voice-note mode) |
document | Yes | to, url or data_base64, mime_type, file_name (optional), caption (optional) |
sticker | Yes | to, url or data_base64, mime_type |
contact | Yes | to, contact_name, vcard |
location | Yes | to, latitude, longitude, address (optional label) |
buttons/interactive | Beta (feature flag) | to, text, buttons[], footer (optional) |
poll | Beta (feature flag) | to, poll_question, poll_options[], poll_multi (optional) |
Webhook Event Catalog
| Event | Purpose |
|---|---|
message | Inbound/outbound message data, including attachment metadata. |
receipt | Delivery/read progression for message IDs. |
message_revoked | Message was deleted/revoked. |
button_response, list_response, interactive_response, poll_response | Replies to interactive content. |
presence, chat_presence | Availability and chat activity changes. |
device_qr_generated, device_connected, device_disconnected, device_destroyed | Device lifecycle transitions. |
logout, warning | Connection or platform warnings (logged out, temporary ban, stream issues, outdated client). |
Webhook Delivery and Security
- Webhook delivery is automatic for message, receipt, and lifecycle events when webhook path is configured.
- Gateway sends signature headers (
X-WA-Timestamp,X-WA-Signature,X-WA-Signature-Alg) and does not expose webhook secret value. - Receiver should validate HMAC signature and timestamp on every callback.
Attachment Ingestion Capabilities
- Inbound attachment payload includes
message_type,media_path,media_mime_type,media_size, and optionalcaption/text. contactpayload includes backward-compatible fields (contact_name,contact_vcard) and normalized contact object(s).locationpayload includeslatitude,longitude,location_name, andlocation_addresswhen present.- Use
GET /media?path=...to fetch binary file securely (internal auth resolved server-side in Mantul flow).
Built-In Safety and Reliability Controls
- Media input supports
urlordata_base64with size and MIME enforcement. - Media URL fetch uses SSRF guards (host and scheme validation).
- Message send includes provider retry with backoff on rate-limit scenarios.
- API includes per-token/global rate-limit and request-size controls.
- Internal device-control endpoints are guarded by host/IP whitelist policies for Onebrick server sources.
- Host/IP whitelist policy is scoped to internal device routes, not a replacement for webhook callback receiver filtering.