Skip to content

Permissions

Updated: May 21, 2026

Platform endpoints are gated by permissions. References for each endpoint indicate which permissions it requires, but in general, you will need the following:

  • whatsapp_business_management — needed to access metadata on your WhatsApp Business account, template management, getting business phone numbers associated with your WABA, all analytics, and to receive webhooks notifying you of changes to your WhatsApp Business account
  • whatsapp_business_messaging — needed to send any type of message to WhatsApp users, and to receive incoming message and message status webhooks

Depending on your business needs, you may also need these permissions:

App Review

If you are a partner and your clients will be using your app to access their data, your app must undergo App Review, and you must be approved for Advanced access for any permissions your app needs. If you lack Advanced access for a given permission, your clients cannot grant your app that permission via Embedded Signup.

If your app uses the whatsapp_business_management permission to access WABAs not owned by your business, you must have Advanced access for that permission. Without it, API calls return error code 200.

If you are a direct developer and only access your own business data, you do not need to undergo App Review or obtain Advanced access for any permissions.

How to get permissions

App users must grant your app individual permissions. If you are a direct developer and are using a system token, when you create a system token, you must create a system user and use it to grant your app individual permissions as part of the system token creation process:

Generate token dialog on the Assign permissions step, with whatsapp_business_management, whatsapp_business_messaging, and business_management selected

If you are a partner using business tokens, the Embedded Signup authorization screen allows your client to grant your app permissions for which you have Advanced access approval:

Embedded Signup authorization screen prompting the client to grant WhatsApp Business Account access permissions to the app

Checking for granted permissions

Use the debug_token endpoint to see which permissions the token granter has granted to your app. Alternatively, you can use the access token debugger tool, which returns the same information.

Request syntax

curl 'https://graph.facebook.com/<API_VERSION>/debug_token?input_token=<ACCESS_TOKEN_TO_CHECK>' \  
-H 'Authorization: Bearer <ACCESS_TOKEN>'

Response syntax

Granted permissions are assigned to the scopes property.

{  
    "data": {  
        "app_id": "634974688087057",  
        "type": "SYSTEM_USER",  
        "application": "Lucky Shrub",  
        "data_access_expires_at": 0,  
        "expires_at": 0,  
        "is_valid": true,  
        "issued_at": 1712099387,  
        "scopes": [  
            "whatsapp_business_management",  
            "whatsapp_business_messaging"  
        ],  
        "granular_scopes": [  
            {  
                "scope": "whatsapp_business_management"  
            },  
            {  
                "scope": "whatsapp_business_messaging"  
            }  
        ],  
        "user_id": "104169029247128"  
    }  
}

Unofficial mirror for reference/search purposes. All content originates from developers.facebook.com — see the source link at the top of each page. Machine-readable indexes: llms.txt · llms-full.txt · About