Security at LoginWA
Security is built into how we run the WhatsApp API — from encrypted transport to hashed credentials and signed webhooks. This page summarizes the practices that protect your data and your integration.
🔒 Encrypted transport
All API traffic is served exclusively over HTTPS/TLS and fronted by Cloudflare, which adds DDoS protection and a WAF. Plaintext HTTP is not accepted.
🔑 API key hashing & rotation
API key secrets are stored hashed, never in plaintext, so they cannot be read back from our database. You can rotate keys at any time, and old keys stop working immediately.
🛡️ IP whitelisting
Restrict API access to known servers. Requests from non-whitelisted addresses are rejected with 403 ip_not_allowed. Manage your allowlist via the dashboard or the /api/v1/ip-whitelist endpoint.
✍️ Signed webhooks (HMAC)
Every outbound webhook is signed with the X-LoginWA-Signature header — an HMAC-SHA256 of the raw request body — alongside X-LoginWA-Event. Verify the signature with your webhook secret to confirm the payload is genuinely from LoginWA and was not tampered with. Secrets can be regenerated at any time.
👤 Least-privilege access
Internal access to production systems is limited to the people who need it, scoped to the minimum required, and removed when no longer needed. Authentication uses HTTP Bearer tokens or the X-Api-Key header, and protected endpoints additionally require an active subscription.
🗂️ Data handling & minimization
We collect only what is needed to deliver messages and verify users — primarily phone numbers and verification metadata. OTP codes are hashed and expire automatically; we do not store message content beyond what is required to operate the service. See our Privacy Policy for full details.
- Keep your API key secret server-side; never expose it in client-side code or public repositories.
- Always verify the X-LoginWA-Signature HMAC before trusting an incoming webhook payload.
- Enable IP whitelisting so only your servers can call the API.
- Rotate API keys and webhook secrets periodically, and immediately if you suspect a leak.
We welcome reports from security researchers. If you discover a vulnerability, please report it privately to [email protected] (or via our contact page) and give us a reasonable time to investigate and fix the issue before any public disclosure. Please do not access or modify data that is not yours, degrade our service, or run automated scans that could disrupt other customers. We are grateful for good-faith research and will acknowledge valid reports.