Skip to content
WhatIsUp.dev

Going to production

WhatIsUp.dev is fully managed — there's nothing to deploy, scale, or babysit. We run the API, the delivery queue, the database, and the realtime layer for you. Going live is a short checklist on your side: get a production key, connect a channel, point a webhook, and handle events idempotently.

1 — Get a production API key

In the dashboard, open API keys and create a key for production. Store it as a server-side secret — never ship it in client code. You can rotate at any time; old keys keep working until you revoke them. See API keys.

2 — Connect and pair your channel

Create a channel, open its QR, and scan it from WhatsApp on the number that will send and receive. Poll the channel until status is connected:

curl -H "Authorization: Bearer $WHATISUP_API_KEY" \
  https://api.whatisup.dev/v1/channels/$CHANNEL_ID

Pairing is durable — a connected channel stays connected across our restarts, so you won't be asked to re-scan on our account.

3 — Point a webhook at your endpoint

Register your HTTPS endpoint and verify the signature on every request. We sign each delivery with HMAC-SHA256 over the raw body, Stripe-style:

import crypto from 'node:crypto';
 
function verify(rawBody: string, signature: string, secret: string) {
  const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Ack fast — return 2xx within a few seconds and process async. Non-2xx responses are retried with exponential backoff, up to 8 attempts. See Webhooks → Signature verification.

4 — (Optional) Subscribe to realtime events

If you'd rather not run a public webhook — a dashboard or internal tool, say — stream events over Server-Sent Events instead:

GET https://api.whatisup.dev/v1/events

Same event shapes, no public endpoint to maintain. See Server-Sent Events.

5 — Make event handling idempotent

Networks retry, so treat both the webhook and SSE streams as at-least-once. Dedupe by event_id on your side and a re-delivered event becomes a no-op. See Idempotency.

6 — Know your limits

  • Rate limits are per-key and per-plan — see Rate limits.
  • Errors and how to handle them — see Errors.
  • Live health and uptime — check the status page at whatisup.dev/status.

That's the whole list. No servers, no migrations, no queue to operate — just the REST API and signed webhooks.