DIY

Going direct to Meta without HookMyApp as a broker. What you would still need, and what you would build yourself.

What DIY Looks Like

You call graph.facebook.com/v24.0 directly with your WABA's long-lived access token. Meta calls your webhook URL directly. You verify Meta's X-Hub-Signature-256 header using your Meta app's APP_SECRET as the HMAC key.

HookMyApp is no longer in the data path. You keep the Meta embedded signup flow (you still need a connected WABA) and handle everything else yourself.

What You Build Yourself

• A public HTTPS endpoint with a valid certificate. No HTTP, no self-signed.
• Webhook verification: the initial GET challenge plus HMAC-SHA256 signature check on every POST, using APP_SECRET.
• Access-token refresh. Long-lived tokens expire in 60 days; you rotate through the Meta Business Manager or the Graph API before expiry.
• Error handling and retry logic for Meta's 4xx and 5xx responses.
• Rate-limit backoff when Meta returns 429 or business-initiated-conversation caps.

What You Still Need From HookMyApp

Embedded signup is Meta's flow, but it requires a registered tech-provider app. HookMyApp is that tech-provider app for you. You still go through hookmyapp channels connect to get a WABA, even if you plan to go direct to Meta for everything else.

After the WABA is connected, switch to your own Meta app credentials and drop HookMyApp from the data path. Before going DIY, see the Connect WABA page in this pillar.

The Signature Difference

Different header, different key.

Direct-to-Meta sends X-Hub-Signature-256 with your APP_SECRET as the HMAC key. HookMyApp forwards X-HookMyApp-Signature-256 with your session's VERIFY_TOKEN as the key. If you switch between the two, you must switch which key your verifier uses.

Next Steps

• Connect WABA: Even DIY still needs an embedded-signup WABA.