A Node.js API for sending WhatsApp verification codes using the unofficial WhatsApp Web API. This project provides a secure way to integrate WhatsApp messaging functionality into your applications.
This project uses an unofficial WhatsApp API (whatsapp-web.js) which violates WhatsApp's Terms of Service. There is a significant risk that WhatsApp may ban accounts using this solution. Use at your own risk.
- QR code based WhatsApp authentication
- JWT protected API endpoints
- Rate limiting for verification requests
- Session persistence with LocalAuth
- Health check endpoint
- CORS and security headers
- Status monitoring
- Node.js v18 or higher
- npm or yarn
- WhatsApp account (with risk of being banned)
- Redis (optional, for production rate limiting)
-
Clone the repository:
git clone https://github.com/yourusername/whatsapp-verification-api.git cd whatsapp-verification-api -
Install dependencies:
npm install
-
Create a
.envfile based on the example:PORT=3001 JWT_SECRET=your_very_strong_secret_here ALLOWED_ORIGIN=http://yourfrontend.com
-
Start the server:
npm start
-
The server will initialize the WhatsApp client and display a QR code in the console.
-
Scan the QR code with your WhatsApp mobile app to authenticate.
| Endpoint | Method | Description | Authentication |
|---|---|---|---|
/api/token |
GET | Generate a JWT token (for demo only) | None |
/api/qr |
GET | Get the current WhatsApp QR code | JWT |
/api/send-verification |
POST | Send a verification code via WhatsApp | JWT |
/api/status |
GET | Check WhatsApp connection status | JWT |
/health |
GET | Server health check | None |
Generate Token (for testing):
curl "http://localhost:3001/api/token?user=admin"Get QR Code:
curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3001/api/qrSend Verification Code:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer YOUR_TOKEN" \
-d '{"phone": "+1234567890", "code": "123456"}' \
http://localhost:3001/api/send-verification- WhatsApp Account Risk: Using unofficial APIs may lead to account bans by WhatsApp.
- JWT Security: Always use strong secrets and consider rotating them regularly.
- Rate Limiting: The API implements basic rate limiting to prevent abuse.
- CORS: Configure ALLOWED_ORIGIN to restrict frontend access.
whatsapp-verification-api/
├── config/
│ ├── client.ts # WhatsApp client configuration
│ └── env.ts # Environment configuration
├── controllers/
│ └── controller.ts # API route handlers
├── middlewares/
│ └── auth.ts # JWT authentication
├── routes/
│ └── routes.ts # API route definitions
├── utils/
│ └── logger.ts # Logging utility
├── server.ts # Express server setup
└── README.md
- Unofficial API: This uses whatsapp-web.js which is not officially supported by WhatsApp.
- Account Bans: WhatsApp actively bans accounts using automation tools.
- Session Persistence: While LocalAuth helps, sessions may still expire unexpectedly.
- Scalability: Not designed for high-volume messaging which increases ban risk.
Contributions are welcome, but please note the inherent risks of this project. Before contributing:
- Fork the repository
- Create a feature branch
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
For production use, consider WhatsApp's official Business API: