Embedded Signup

What Is Embedded Signup?

Embedded Signup is Meta's official OAuth flow for connecting WhatsApp Business Accounts to third-party platforms. It opens a popup window where the business owner authorizes access, and the platform receives the credentials needed to manage the account via Cloud API.

How It Works in Dualhook

Dualhook loads the Facebook JS SDK and calls FB.login() with a config_id, response_type: "code", and sessionInfoVersion: "3". A postMessage listener captures the waba_id and phone_number_id from the popup before it closes.

On the server side, Dualhook exchanges the authorization code for an access token using your app credentials. Token expiry is tracked in the database via tokenIssuedAt and tokenExpiresAt fields so Dualhook can warn you before a token expires.

Atomic Configuration

Dualhook collects your webhook URL and verify token before opening the Meta popup. This ensures the Webhook Override is configured immediately after the token exchange completes — before any messages arrive. There is no window where messages could be delivered to the wrong endpoint.

Fallback ID Discovery

If the postMessage listener does not capture the account identifiers, Dualhook falls back to a discovery chain: debug the token, look up /me/businesses, find owned WABAs, and enumerate phone numbers. This ensures the connection succeeds even if the popup communication is interrupted.