Starter Kit

A 2-minute Express-based webhook receiver with signature verification, send helper, and auto-reply.

What's In The Kit

• A signature-verifying webhook receiver at POST /webhook.
• A sendMessage(to, text) helper that POSTs to the sandbox proxy or to Meta directly.
• An auto-reply handler you can rip out or customize.
• An .env.example with the env keys the CLI will fill in.

Quick Start

Clone, install, pull sandbox env, run.

git clone https://github.com/hookmyapp/webhook-starter-kit.git
cd webhook-starter-kit
npm install
hookmyapp sandbox env --write .env
npm start

How Signature Verification Works

Every forwarded webhook arrives with an X-HookMyApp-Signature-256 header set to sha256=<hex>, where the HMAC key is your session's VERIFY_TOKEN. The receiver computes the same HMAC-SHA256 over the raw request body, compares, and rejects mismatches with 401.

The Receive Webhooks page covers the algorithm and the exact handler code in detail.

From Sandbox To Production

The receiver code does not change between sandbox and production. Only three env values change.

• WHATSAPP_API_URL flips from the sandbox proxy URL to https://graph.facebook.com/v24.0.
• WHATSAPP_ACCESS_TOKEN flips from the sandbox session activation code to your WABA's long-lived access token.
• WHATSAPP_PHONE_NUMBER_ID flips from the shared sandbox number's ID to your WABA's phone number ID.

Next Steps

• Receive Webhooks: Understand what the receiver is verifying and why.
• Agent Skills: Have your AI agent clone and wire it for you.