Skip to content
WhatIsUp.dev

Architecture

WhatIsUp.dev sits between your application and WhatsApp. Your code talks to a clean REST API; the gateway holds the WhatsApp connection, signs and stores delivery records, and posts events back to your endpoint.

Your app talks to one HTTP endpoint. The gateway owns the WhatsApp side.

The pieces

  • Your app holds the API key, makes HTTP requests, and exposes a webhook URL where delivery events land.
  • WhatIsUp.dev is the gateway: a REST API on the front, durable storage for channels + delivery records, an outbound queue with retries, and the WhatsApp connection on the back.
  • WhatsApp is reached over the standard WhatsApp Web protocol β€” no Twilio middleman, no Meta business-verification queue.

Customer / channel / API key

customer
   β”œβ”€β”€ api key (one or more)
   β”œβ”€β”€ channel  (one per phone number)
   β”‚     β”œβ”€β”€ webhook endpoint
   β”‚     β”‚     └── delivery record  (one per event)
   β”‚     └── audit event
   └── audit event

A customer is your account β€” the billing and isolation boundary. A channel is one paired phone number; you can run as many as your plan allows. API keys are scoped to a customer; you can also bind a key to a single channel when you want least-privilege isolation (e.g. a marketing app that should only be able to send from one number).

Trust boundaries

BoundaryWhat's enforced
API key β†’ customerKeys are stored hashed; the plaintext is shown to you exactly once at creation.
Outbound webhook URLsPublic DNS only β€” loopback, private network, and cloud-metadata IPs are rejected at create and delivery time. HTTPS-only in production.
Webhook signing secretsEncrypted at rest with rotation support.
Cross-customer accessEvery query is filtered by your customer id. There's no "global admin" path.
Audit logAppend-only β€” every customer-visible state change leaves a row, and rows outlive the resources they reference.

What's deliberately not here

  • No SDK install β€” the API is plain HTTP + JSON, so curl is a first-class client.
  • No multi-region writes for v1. A single primary database keeps consistency simple; this is the right call until traffic shape demands otherwise.
  • No black-box "AI assistant" surface. The product is the wire β€” what you build on top is yours.