WaSphere
The self-hosted, open-source WhatsApp API platform.
Multi-session · multi-webhook · developer-first · MIT licensed.
Features • Quick Start • API • Security • Roadmap • Live Demo ↗
✨ Why WaSphere?
WaSphere is a self-hosted WhatsApp API platform for developers, hosting/WHMCS resellers, and billing systems that want a production-grade WhatsApp gateway they fully own — your server, your data, no managed SaaS, no per-message fees, no vendor lock-in.
| 🔓 100% open source | MIT licensed. Run it anywhere, fork it, ship it. |
| 🏠 Self-hosted & private | Your WhatsApp sessions and contact data never leave your infrastructure. |
| 🔐 Security-first | HMAC-signed webhooks, scoped API keys, SSRF-guarded delivery, encrypted secrets. |
| 🖥️ Developer dashboard | Next.js UI for sessions, webhooks, API keys, messaging, audit log + dark mode. |
| 💬 14 message types | Text, media, buttons, lists, polls, reactions, view-once, location, contacts… |
| 🐳 One-command Docker | docker compose up -d brings up the whole stack with auto-migrations. |
👉 Try it live (seeded demo, no signup): demo.wasphere.com
🏗️ Architecture
WaSphere is two cleanly separated services so the GPL-licensed WhatsApp engine stays isolated from your application layer:
┌─────────────────┐ HTTPS ┌──────────────────┐ internal ┌────────────────────┐
│ Dashboard UI │ ─────────▶ │ Dashboard API │ ────────────▶ │ WA Server │
│ Next.js (3004) │ │ NestJS · Prisma │ X-Api-Token │ NestJS · Baileys │
│ sessions/keys/ │ ◀───────── │ Postgres (3000) │ ◀──────────── │ WhatsApp (3001) │
│ webhooks UI │ │ auth · proxy │ │ the GPL boundary │
└─────────────────┘ └──────────────────┘ └────────────────────┘
- WA Server — the WhatsApp gateway (Baileys), the only component that links the GPL engine.
- Dashboard API — auth (JWT + scoped API keys), workspaces, webhook fan-out, audit log, and a token-injecting proxy to the WA Server.
- Dashboard UI — the management console. Talks only to the Dashboard API; never holds your WA Server token in the browser.
🎯 Features
📥 Inbox — new in v1.1
A realtime, two-pane WhatsApp Inbox right in your dashboard — send, receive, and manage conversations without leaving WaSphere.
| Capability | What you get |
|---|---|
| Send & receive | text · image · video · voice notes · documents · stickers — inline players + download |
| Polls + vote tracking | send a poll, receive the decrypted vote on a poll.vote webhook — powers Shopify / WooCommerce order confirmation |
| Reactions · forward · copy | react to any message (inbound or your own), forward to another chat |
| Tags · notes · mute | organise customers · private per-contact notes · per-chat mute |
| Realtime | live updates over SSE with automatic polling fallback |
| Multi-session filter | one universal inbox, or filter to a single WhatsApp number |
| Mobile-ready | responsive layout, slide-in panels, tap-friendly actions |
📖 Full v1.1 release notes: CHANGELOG → 1.1.0 · try it live: demo.wasphere.com
Core
| Feature | Status | Description |
|---|---|---|
| REST API | ✅ | Full WhatsApp API over HTTP |
| Multi-session | ✅ | Run many WhatsApp numbers from one deployment |
| Web dashboard | ✅ | Next.js console with dark mode + WCAG-AA contrast |
| Built-in API docs | ✅ | Interactive Scalar reference on both services |
| Workspaces | ✅ | Isolated config + data per workspace |
Messaging — 14 send types
Every type below has a dedicated REST endpoint and is fully implemented in the WA Server.
| # | Type | Notes |
|---|---|---|
| 1 | Text | with automatic link previews |
| 2 | Image | with caption, any common format |
| 3 | Video | with caption, streamable |
| 4 | Audio | voice notes (PTT) and audio files |
| 5 | Document | any file type, custom filename |
| 6 | Sticker | static and animated (WebP) |
| 7 | GIF | looping video sent as a GIF |
| 8 | View-once | self-destructing image / video |
| 9 | Buttons | interactive quick-reply buttons |
| 10 | List | interactive menu / list picker |
| 11 | Poll | multi-option polls |
| 12 | Reaction | emoji reaction to any message |
| 13 | Location | location pins (lat/long + label) |
| 14 | Contact | vCard contact cards |
Delivery & safety: bulk send with per-recipient outcome tracking · configurable per-session send delays + auto-read/receipts (anti-ban) · inbound webhooks for every incoming message and status update.
Security & Auth
| Feature | Status | Notes |
|---|---|---|
| Scoped API keys | ✅ | up to N keys, 12 permission scopes, per-session scoping |
| HMAC-signed webhooks | ✅ | v1,sha256= over timestamp.body, per-webhook secret, retries |
| SSRF-guarded delivery | ✅ | DNS pinning + private-IP denylist on all outbound webhooks |
| Encrypted secrets at rest | ✅ | AES-256-GCM for stored WA Server tokens |
| Argon2id + JWT rotation | ✅ | timing-safe login, refresh-token rotation + reuse detection |
| Security headers | ✅ | helmet on the API + headers on the UI |
| Audit log | ✅ | every API request logged; filterable; 90-day retention |
Operations
| Feature | Status | Notes |
|---|---|---|
| Per-session proxy | ✅ | HTTP / HTTPS / SOCKS5 per session |
| Rate limiting | ✅ | sliding-window per session + global throttle |
| Health checks | ✅ | liveness/readiness probes, Kubernetes-ready |
| One-command Docker | ✅ | docker compose up -d, migrations auto-run |
| PostgreSQL 16 | ✅ | production-grade storage via Prisma |
🚀 Quick Start
Requirements: Docker Engine 24+ and Docker Compose v2. (For a public deployment, bring your own reverse proxy for TLS — WaSphere does not bundle one.)
git clone https://github.com/wasphere/wasphere.git
cd wasphere
cp .env.example .env
# POSTGRES_PASSWORD, JWT_SECRET, ENCRYPTION_KEY, WA_TOKEN,
# WEBHOOK_SIGNING_SECRET, INTERNAL_WEBHOOK_SECRET
docker compose up -d
Then open http://localhost:3004, register the first (admin) account, and in Settings → WA Server set the URL to http://wa-server:3001 and your WA_TOKEN. Connect a number under Sessions, and you're live.
Full walkthrough: Quick Start docs · Configuration reference
Services
| Service | URL |
|---|---|
| Dashboard UI | http://localhost:3004 |
| Dashboard API | http://localhost:3000 |
| WA Server | http://localhost:3001 |
| API reference | …:3001/api/reference (WhatsApp API) · …:3000/api/reference (Admin API) |
Local development
pnpm install
docker compose -f docker-compose.dev.yml up -d # Postgres only
pnpm prisma:migrate
pnpm dev # all three packages
📡 API
Requests go through the Dashboard API, which proxies to your WA Server and injects the token. Authenticate with a scoped key: Authorization: Bearer wsk_….
# Send a text message
curl -X POST https://api.your-domain.com/workspaces/{workspaceId}/proxy/api/sessions/{sessionId}/messages/text \
-H "Authorization: Bearer wsk_your_key" \
-H "Content-Type: application/json" \
-d '{ "to": "12125550100", "text": "Hello from WaSphere!" }'
# Register a signed webhook
curl -X POST https://api.your-domain.com/workspaces/{workspaceId}/webhooks \
-H "Authorization: Bearer wsk_your_key" \
-H "Content-Type: application/json" \
-d '{ "name": "n8n", "url": "https://n8n.example.com/webhook/wa", "events": ["message.received"] }'
Every delivery is signed: X-WaSphere-Signature: v1,sha256=<hmac> over {timestamp}.{rawBody}.
Interactive API reference — every endpoint, request/response schema, and try-it-out console ships built-in on both services (at /docs/wa-server and /docs/admin on your own deployment). Explore them live:
- 📘 WA Server API — sessions, messages (all 14 types), contacts, groups
- 📗 Dashboard / Admin API — auth, workspaces, API keys, webhooks, proxy
🔐 Security
- No vendor trust required — sessions and contacts live only on your infrastructure.
- Scoped, hashed API keys — 12 permission scopes plus optional per-session scoping; keys stored Argon2id-hashed, shown once.
- Signed webhooks with SSRF protection — HMAC-SHA256 signatures, per-webhook secrets, exponential-backoff retries, auto-deactivation; outbound delivery is DNS-pinned and blocks private/loopback/link-local/cloud-metadata targets.
- Secrets encrypted at rest — AES-256-GCM for WA Server tokens; secrets only via environment variables, never committed.
- Hardened auth — Argon2id passwords, timing-safe login, JWT refresh-token rotation with reuse detection, registration locks after the first admin.
- Header-only WA token + proxy stripping — the WA Server token is accepted via
X-Api-Tokenonly and is stripped from all proxied responses, so it never reaches the browser.
Found a vulnerability? See CONTRIBUTING.md for responsible disclosure.
🛠 Tech Stack
| Layer | Technology |
|---|---|
| WA Server | NestJS · TypeScript · Baileys (pinned 6.7.21) |
| Dashboard API | NestJS · Prisma · PostgreSQL 16 |
| Dashboard UI | Next.js 16 · TailwindCSS · ShadCN UI |
| Auth | JWT + Argon2id · scoped API keys |
| Monorepo | pnpm workspaces |
| Container | Docker + Docker Compose |
📁 Project Structure
wasphere/
├── packages/
│ ├── wa-server/ # WhatsApp gateway (NestJS + Baileys) — the GPL boundary
│ ├── dashboard-api/ # NestJS + Prisma API: auth, workspaces, webhooks, proxy
│ └── dashboard-ui/ # Next.js dashboard
├── docker-compose.yml # portable full stack (self-host)
├── docker-compose.dev.yml # Postgres only (local dev)
├── docker-compose.prod.yml # Dokploy/Traefik overlay
├── docker-compose.demo.yml # DEMO_MODE showcase (demo.wasphere.com)
├── CONFIGURATION.md
└── README.md
��️ Roadmap
WaSphere Core is MIT and free forever. Commercial products are built on top of the Core as a dependency — the Core never becomes paid.
🆓 Open-source Core (MIT)
| Version | Theme | Status |
|---|---|---|
| v1.0 | Foundation — WhatsApp API platform (multi-session, 14 send types, webhooks, scoped API keys, dashboard) | ✅ shipped |
| v1.1 | Inbox — realtime inbox: send/receive media, polls + decrypted votes, reactions, tags/notes, multi-session (notes) | ✅ shipped |
| v1.2 | Reliability & Trust — Meta Cloud API as an alternative backend (per-session provider choice + Baileys→Meta auto-failover) · inbox polish (streaming media, location/contact-card previews, poll-resolve helper) · browser notifications | 🚧 in progress |
| v1.3 | Team & Multi-agent — assign conversations, agent roles, internal notes & @mentions | planned |
| v1.5 | Platform — MySQL / SQLite support, multiple workspaces per deployment, basic AI replies | planned |
| v2.0 | Mature Core | planned |
🎯 v1.2 makes WaSphere the only MIT-licensed, self-hostable WhatsApp platform that runs both Baileys (unofficial) and the official Meta Cloud API behind one unified, per-session API. Intelligent routing, cost optimization and the Shopify/WooCommerce integrations are part of WaSphere Pro.
💼 Commercial products (paid · closed-source · built on the Core)
These run on top of WaSphere Core and are developed separately — the Core stays MIT and self-hostable on its own.
- WaSphere for Shopify — WhatsApp order confirmation, abandoned-cart and shipping flows (after v1.2)
- WaSphere for WooCommerce (after Shopify)
- WaSphere for WHMCS — billing & client notifications
- WaSphere Pro (hosted SaaS) — fully managed cloud, no self-hosting
Have a request? Open an issue.
📚 Documentation
| Resource | Description |
|---|---|
| Quick Start | Deploy + first message in ~10 min |
| Installation | Every service & port explained |
| Configuration | Full environment reference |
| WHMCS integration | Order/invoice WhatsApp alerts |
| Webhooks | Real-time events + signatures |
🤝 Contributing
- Fork the repo and create a branch (
git checkout -b feature/amazing-feature) - Commit your changes (Conventional Commits; include
Closes #N) - Push and open a Pull Request
See CONTRIBUTING.md for setup, branch naming, and PR guidelines.
📄 License
MIT — free for personal and commercial use. See LICENSE.
The WA Server links Baileys, which depends on
libsignal(GPLv3). WaSphere isolates all Baileys code in the WA Server binary; the rest of the platform stays MIT-clean.
Website · Live Demo · Issues · Docs
Made with ❤️ by Waqas Ahmed Waseer
Hosting by WaseerHost · Not affiliated with WhatsApp Inc. or Meta.
Comments