Use the Vonage Messages API with the Node.js SDK and Express. Create a POST route in your Express app that uses the Vonage SDK to send messages via the API. Ensure your Vonage application is configured with the correct API credentials, including Application ID and Private Key, available in your Vonage Dashboard.

The Vonage Messages API is a unified platform for sending and receiving messages across different channels including WhatsApp, SMS, and MMS. This tutorial shows how to integrate with it to handle two-way WhatsApp communication from your Node.js application.

Webhook verification using JWT and a signature secret prevents unauthorized access to your application. By verifying the signature of incoming webhooks, you ensure that requests genuinely originate from Vonage and not malicious actors. This is critically important for security.

Ngrok is essential for local development and testing Vonage webhooks as it exposes your local server to the internet. However, for production deployments, use a permanent public URL from your hosting provider, ensuring secure HTTPS configuration.

Navigate to "Developer Tools" > "Messages API Sandbox" in your Vonage Dashboard. Scan the provided QR code or send the specified WhatsApp message to whitelist your personal number for testing within the sandbox environment.

You'll need Node.js and npm (v18+ recommended), a Vonage API account, ngrok for local development, and a WhatsApp-enabled mobile phone for testing. Sign up for a free Vonage account to get started with test credits.

Set up webhook URLs in your Vonage application and sandbox settings. Your Express app needs routes to handle incoming messages (inbound URL) and delivery status updates (status URL). Vonage sends data to these URLs as webhooks.

Critically, you MUST replace the placeholder verification function with robust JWT verification using a library like 'jsonwebtoken'. Verify the JWT signature using your VONAGE_API_SIGNATURE_SECRET and validate standard claims like 'api_key', 'exp', and 'nbf' to ensure security. This step is mandatory for production.

The private.key file is used to authenticate your Node.js application with the Vonage API. Generate this file from your Vonage Application Dashboard. Never commit it to version control, use secrets management instead.

The `.env` file stores sensitive configuration, like API keys and secrets. It allows you to keep credentials separate from your code. `dotenv` loads variables from .env into `process.env`. Never commit the `.env` file.

Start your Node.js server with `node index.js`. Use `curl` or Postman to send test messages to your `/send-whatsapp` route. Send a WhatsApp message from your phone to the Vonage Sandbox number to test incoming messages. Check your server logs for webhook activity and responses.

Common problems include `401 Unauthorized` errors on webhooks (usually signature verification issues), webhooks not reaching the server (ngrok or URL problems), errors sending messages (number format, credentials), or the server not returning a `200 OK` to Vonage.

No. Replace ngrok with a proper hosting provider for stable, public HTTPS URLs. Implement robust JWT webhook verification. Securely manage environment variables, including `private.key`. Use a dedicated WhatsApp Business number via Vonage.

Prioritize secure JWT webhook verification. Integrate a database, implement state management, and add features like auto-replies and rich messages. Replace the sandbox number with a production WhatsApp Business number.