Connecting WhatsApp Business API to Custom Flat-PHP Web Portals: A Tour Booking Guide

Q: How do you handle signature verification and verify the authenticity of incoming WhatsApp webhooks in custom flat-PHP scripts?

To handle signature verification securely in custom flat-PHP, retrieve the X-Hub-Signature-256 header sent by Meta and compare it to a locally calculated HMAC-SHA256 hash. Read the raw, unprocessed input stream directly using file_get_contents('php://input') instead of relying on the $_POST superglobal, which does not capture raw JSON payloads. Compute the HMAC using hash_hmac('sha256', $rawBody, $appSecret) with your Meta App Secret. Finally, perform a secure, constant-time comparison using hash_equals() to prevent timing-based side-channel attacks. Reject failed verifications with a 401 Unauthorized HTTP status code to secure your webhook against spoofing attempts.

Q: How can a tour operator manage high-latency or intermittent offline states when synchronizing WhatsApp confirmations in low-bandwidth zones like Leh/Ladakh?

In low-connectivity and high-latency areas like Leh/Ladakh, you must decouple message dispatching from the checkout process to prevent web request timeouts and database lockouts. Avoid synchronous cURL calls during booking. Instead, log the message payload into a custom MySQL outbox table with a 'pending' status. Run a lightweight CLI worker script as a background process via a server-side cron job (e.g., every minute) to query this queue, attempt API transmission, and handle connectivity failures. In case of network drops, the worker implements an exponential backoff retry algorithm (e.g., 2^retry_count * 60 seconds) and flushes the queue automatically when active fiber or cellular links are restored.

Q: What is the structural difference between WhatsApp Session Messages and Template Messages, and how do you programmatically route them in flat-PHP?

Template Messages (HSMs) are pre-approved, highly structured notification templates required to initiate conversations or message customers outside of Meta's strict 24-hour window. They are charged based on conversation category and require structural placeholders. Session Messages are free-form messages allowed only within 24 hours of a customer's inbound message. Within this active window, businesses can send custom text, files, and interactive dropdown lists without pre-approval. In flat-PHP, query the customer's last_inbound_at timestamp from the MySQL database and calculate the time elapsed. If the duration is under 86,400 seconds, dynamically route the communication via the free-form Session Text API; otherwise, automatically fallback to the Template API to maintain strict compliance.

Q: How do you parse complex interactive button responses and quick replies from the WhatsApp webhook payload using flat-PHP?

When a customer taps an interactive component, Meta transmits an HTTP POST payload to your webhook. In flat-PHP, read the raw input via file_get_contents('php://input') and decode the JSON into an associative array. Verify if the message type is set to 'interactive' and check if the payload contains 'button_reply' or 'list_reply' under entry[0].changes[0].value.messages[0].interactive. Extract the developer-defined identifier (id) and use a structured switch-case statement inside your handler to execute corresponding backend operations, such as updating booking statuses in MySQL or triggering follow-up automated text confirmations.

Q: How should media files (such as PDF tour vouchers or JPEG permits) be uploaded and sent via the WhatsApp Cloud API using raw cURL in flat-PHP?

For standard, non-sensitive documents like public marketing brochures, pass the file's secure, publicly accessible HTTPS CDN URL in the document's 'link' field of the API payload. For highly confidential documents like regional Inner Line Permits (ILPs) containing guest passport details, use the binary media upload method. Post the local file to Meta's secure /media endpoint via a multipart/form-data cURL request using the CURLFile utility. Meta processes the file and returns a unique media_id, which you then reference in your API message payload. This keeps the files secured within Meta's encrypted vault without exposing raw, sensitive documents to the public internet.

Missed booking inquiries cost Indian tour operators significant revenue. Relying solely on email or phone calls creates bottlenecks, especially when customers expect instant responses. Integrating the WhatsApp Business API directly into a custom flat-PHP web portal automates communication, streamlines booking processes, and provides real-time support, transforming customer engagement and operational efficiency.

📁 Table of Contents

👉 The WhatsApp Business API Advantage for Indian Tour Operators
👉 Understanding the WhatsApp Business API Architecture
👉 Designing Your Flat-PHP Portal for API Integration
👉 Code Example: Sending a Template Message
👉 Frequently Asked Questions (FAQ)

The WhatsApp Business API Advantage for Indian Tour Operators

In India, WhatsApp is not just a messaging app; it is the primary mode of digital communication for over 535 million users. For tour operators, especially those catering to domestic travelers or operating in regions like Ladakh or Uttarakhand, failing to meet customers on this ubiquitous platform means losing leads and bookings. The WhatsApp Business API moves beyond the basic WhatsApp Business app, offering programmatic access to send and receive messages, automate interactions, and integrate directly with existing systems.

This API allows businesses to send template messages for booking confirmations, payment reminders, and travel updates, as well as engage in free-form conversations with customers within a 24-hour window. Imagine a customer booking a Rishikesh yoga retreat package online. Instead of waiting for an email, they receive an instant, personalized booking confirmation on WhatsApp, complete with itinerary details and payment links. This immediacy significantly improves the customer experience and builds trust.

For businesses in Tier-2 and Tier-3 cities, where digital literacy might vary, WhatsApp's simplicity and widespread adoption make it an indispensable tool. It transcends language barriers through easy translation tools and allows for rich media sharing, such as sending photographs of a hotel room or a map to a meeting point. The API enables tour operators to manage a high volume of inquiries without additional staff, making their operations more scalable and efficient. For instance, a small adventure tour company in Manali can automate responses to frequently asked questions about trek difficulty or equipment lists, freeing up staff to handle more complex customer needs. This direct, mobile-first approach is crucial, especially considering that many Indian customers access booking portals primarily via smartphones, often on slower mobile networks. Businesses that fail to prioritize mobile experience, including instant communication, often see high bounce rates. For a deeper understanding of mobile challenges, consider Why Indian Hotel Websites Lose 70% of Bookings on Mobile.

Understanding the WhatsApp Business API Architecture

Integrating with the WhatsApp Business API requires understanding its core components and how they interact. This isn't just about sending messages; it's about building a robust communication channel.

The primary components are:

WhatsApp Business API Client: This is the application that connects to WhatsApp's servers. It handles message encryption, sending, and receiving. Historically, this involved hosting an On-Premise API client, which required dedicated servers and significant setup. However, Meta's Cloud API has simplified this by hosting the client directly, allowing businesses to interact via HTTP requests.
Webhooks: These are essential for receiving inbound messages and status updates. When a customer sends a message to your WhatsApp Business number, WhatsApp (or Meta's Cloud API) sends an HTTP POST request to a specific URL you provide (your webhook endpoint). Your PHP portal then processes this data.
Access Tokens: These secure keys authorize your PHP application to make API calls to send messages or retrieve information. They are generated from your Meta Developer Account and must be kept confidential.

Cloud API vs. On-Premise API: A Crucial Comparison

Choosing between Meta's Cloud API and the On-Premise API is a fundamental decision for Indian businesses.

Feature	WhatsApp Business Cloud API	WhatsApp Business On-Premise API
Hosting	Hosted by Meta (Facebook)	Hosted by the business on their own servers or a cloud provider
Setup & Maintenance	Minimal setup, Meta handles infrastructure, updates, scaling	Requires server setup, maintenance, manual updates, scaling
Cost	Generally pay-as-you-go based on messages, no infrastructure cost	Infrastructure costs (servers, DevOps) + message costs
Scalability	Automatically scales with demand	Requires manual scaling and infrastructure planning
Control	Less control over infrastructure, more reliance on Meta	Full control over data and infrastructure
Latency	Can be slightly higher due to external hosting	Potentially lower latency if hosted close to users/WhatsApp servers
Complexity	Simpler integration, primarily HTTP requests	More complex, involves Docker containers, database management
Ideal For	Most SMBs, startups, quick deployments, cost-conscious businesses	Large enterprises with specific data residency or customization needs

For the vast majority of Indian tour operators and SMBs building flat-PHP portals, the Cloud API is the preferred choice. It removes the burden of server management, ensures automatic updates, and simplifies integration to standard HTTP requests. This aligns perfectly with the flat-PHP approach, focusing on lean, efficient development.

Authentication and Message Types

Authentication for the Cloud API primarily uses permanent access tokens (for sending messages) and webhook verification tokens (for securing incoming messages). The process involves generating a token from your Meta Developer App and including it in your API requests.

WhatsApp supports various message types:

Text Messages: Standard conversational messages.

Text Messages: Standard conversational messages.
Media Messages: Images, videos, audio, documents (e.g., PDF tickets).
Template Messages (HSMs): Pre-approved templates for initiating conversations.
Interactive Messages: Messages with call-to-action buttons or quick-reply buttons.

Designing Your Flat-PHP Portal for API Integration

Building a custom flat-PHP portal for WhatsApp API integration offers unparalleled control, flexibility, and often, a lower total cost of ownership compared to complex CMS solutions. Your flat-PHP portal will need several key components to effectively communicate with the WhatsApp Business API:

Database (e.g., MySQL): Essential for storing customer information, booking details, message history, and potentially API credentials (securely encrypted).
API Client Script(s): PHP files responsible for constructing and sending HTTP requests to the WhatsApp Cloud API.
Webhook Endpoint: A dedicated PHP file that acts as a listener for incoming messages and status updates from WhatsApp.
Admin Interface (Optional but Recommended): A simple PHP interface for tour operators to view bookings, manage message templates, and monitor communication logs.

Security Considerations

API Keys: Never hardcode your WhatsApp Business API access token directly into your PHP scripts.
Input Validation: All data received from webhooks or user input must be rigorously validated and sanitized to prevent SQL injection, cross-site scripting (XSS), and other vulnerabilities.
Webhook Verification: WhatsApp sends a X-Hub-Signature-256 header with each webhook request. Your PHP endpoint must verify this signature using your App Secret.
HTTPS: Your webhook endpoint must be served over HTTPS.
Principle of Least Privilege: Your database user should only have the necessary permissions for your application.

User Flow Example: Booking Confirmation via WhatsApp

Customer Books Tour: A customer completes a booking form on your flat-PHP website for a trekking package.
Booking Data Saved: Your PHP script saves the booking details into your MySQL database.
WhatsApp Message Triggered: Immediately after successful booking, your PHP script makes an API call to the WhatsApp Cloud API.
Customer Receives Confirmation: The customer receives the confirmation on their WhatsApp.

Code Example: Sending a Template Message

Here’s a basic PHP example demonstrating how to send a pre-approved template message using curl to the WhatsApp Cloud API.


<?php

/**
 * Send a WhatsApp template message using Meta Cloud API
 *
 * @param string $recipientPhone Recipient phone number in international format
 * @param string $templateName Approved template name
 * @param array $parameters Array of dynamic parameters for the template placeholders
 * @return array Response from WhatsApp API
 */
function sendWhatsAppTemplateMessage(string $recipientPhone, string $templateName, array $parameters = []): array {
    $accessToken = getenv('WHATSAPP_API_TOKEN') ?: 'YOUR_META_PERMANENT_ACCESS_TOKEN';
    $phoneNumberId = getenv('WHATSAPP_PHONE_NUMBER_ID') ?: 'YOUR_PHONE_NUMBER_ID';
    $apiVersion = 'v19.0'; 

    $cleanPhone = preg_replace('/[^0-9]/', '', $recipientPhone);

    $parameterPayload = [];
    foreach ($parameters as $param) {
        $parameterPayload[] = [
            'type' => 'text',
            'text' => (string)$param
        ];
    }

    $payload = [
        'messaging_product' => 'whatsapp',
        'to' => $cleanPhone,
        'type' => 'template',
        'template' => [
            'name' => $templateName,
            'language' => ['code' => 'en'],
            'components' => [[
                'type' => 'body',
                'parameters' => $parameterPayload
            ]]
        ]
    ];

    $url = "https://graph.facebook.com/{$apiVersion}/{$phoneNumberId}/messages";
    $ch = curl_init($url);

    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        "Authorization: Bearer {$accessToken}",
        "Content-Type: application/json"
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 15);

    $response = curl_exec($ch);
    $httpStatusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $curlError = curl_error($ch);
    curl_close($ch);

    if ($curlError) {
        return ['success' => false, 'error' => "cURL Error: " . $curlError];
    }

    $decodedResponse = json_decode($response, true);
    if ($httpStatusCode >= 200 && $httpStatusCode < 300) {
        return ['success' => true, 'message_id' => $decodedResponse['messages'][0]['id'] ?? 'unknown'];
    }

    return ['success' => false, 'status_code' => $httpStatusCode, 'error' => $decodedResponse['error']['message'] ?? 'API error'];
}
?>

Frequently Asked Questions

How do you handle signature verification and verify the authenticity of incoming WhatsApp webhooks in custom flat-PHP scripts?

In a raw flat-PHP architecture, handling incoming webhook notifications securely is paramount. Because your webhook URL must be exposed publicly to receive HTTP POST payloads from Meta's servers, it represents an attack vector for malicious actors seeking to spoof notifications, manipulate booking statuses, or execute denial-of-service attempts. To prevent this, Meta signs every webhook payload with a cryptographic SHA-256 signature, which is transmitted in the X-Hub-Signature-256 HTTP header. This signature is generated using your Meta Developer Application's secret key (App Secret) as the signing key and the raw JSON request body as the message.

To verify this signature within your custom flat-PHP webhook listener, you must compare the signature sent by Meta with a locally calculated HMAC-SHA256 signature of the incoming request body. You must retrieve the signature header and compute the local signature using the raw input stream rather than the processed $_POST or $_REQUEST superglobals. In PHP, this raw request body must be read directly from the php://input stream. Once the local signature is computed, it is highly critical to perform a constant-time string comparison using hash_equals() instead of standard comparison operators (like == or ===). Constant-time comparisons mitigate timing attacks, where an attacker determines signature characters by analyzing microscopic differences in response times.

The following table outlines the key webhook signature components you must parse and verify:

Component Name	PHP Superglobal / Retrieval Method	Purpose / Expected Format
X-Hub-Signature-256 Header	`$_SERVER['HTTP_X_HUB_SIGNATURE_256']`	Contains the prefix `sha256=` followed by a 64-character hexadecimal signature string.
Raw Request Body	`file_get_contents('php://input')`	The exact, unaltered raw JSON payload string sent by Meta.
App Secret	`getenv('META_APP_SECRET')` or a secure config constant	Your Meta App Secret, which must be kept confidential and stored outside the web root.
Comparison Function	`hash_equals($calculated, $received)`	Secures the comparison against timing-based side-channel attacks.

Here is a complete, production-ready code snippet to implement secure signature verification in your flat-PHP webhook script:


<?php
// webhook-listener.php - Production-Ready Verification

// 1. Retrieve the signature header
$headers = getallheaders();
$receivedSignature = isset($headers['X-Hub-Signature-256']) ? $headers['X-Hub-Signature-256'] : null;

// Fallback for Nginx or other environments where getallheaders() might not be defined
if (!$receivedSignature && isset($_SERVER['HTTP_X_HUB_SIGNATURE_256'])) {
    $receivedSignature = $_SERVER['HTTP_X_HUB_SIGNATURE_256'];
}

// 2. Load the App Secret from a secure environment variable
$appSecret = getenv('META_APP_SECRET') ?: 'your_actual_meta_app_secret_here';

if (!$receivedSignature) {
    http_response_code(400); // Bad Request
    echo json_encode(["status" => "error", "message" => "Missing signature header"]);
    exit;
}

// 3. Read the raw, unprocessed request body from the input stream
$rawPayload = file_get_contents('php://input');

if (empty($rawPayload)) {
    http_response_code(400);
    echo json_encode(["status" => "error", "message" => "Empty request body"]);
    exit;
}

// 4. Extract the signature hash from the prefix (sha256=...)
if (strpos($receivedSignature, 'sha256=') === 0) {
    $receivedHash = substr($receivedSignature, 7);
} else {
    http_response_code(400);
    echo json_encode(["status" => "error", "message" => "Invalid signature format"]);
    exit;
}

// 5. Compute the expected HMAC using the raw payload and your App Secret
$expectedHash = hash_hmac('sha256', $rawPayload, $appSecret);

// 6. Verify the signatures using a constant-time comparison function
if (hash_equals($expectedHash, $receivedHash)) {
    // Signature is authentic - proceed with parsing
    $data = json_decode($rawPayload, true);
    
    // Handle the webhook data (e.g., update booking states, dispatch confirmations)
    // ...

    // Respond with a 200 OK to acknowledge receipt
    http_response_code(200);
    echo json_encode(["status" => "success", "message" => "Webhook processed successfully"]);
} else {
    // Log the failed attempt for security auditing
    error_log("Security Alert: Invalid webhook signature received from " . $_SERVER['REMOTE_ADDR']);
    
    // Reject the request with a 401 Unauthorized code
    http_response_code(401);
    echo json_encode(["status" => "error", "message" => "Invalid signature verification failed"]);
}
exit;

How can a tour operator manage high-latency or intermittent offline states when synchronizing WhatsApp confirmations in low-bandwidth zones like Leh/Ladakh?

Operating a real-time tour booking platform in high-altitude, mountainous regions like Leh/Ladakh presents severe network infrastructure challenges. Tour operators regularly face high packet loss, satellite backhaul latency spikes (often exceeding 800ms), and full network blackouts caused by extreme weather, landslides, or administrative internet suspensions. Direct, synchronous cURL API dispatches during the checkout process will inevitably cause browser timeouts, database locks, duplicate charging errors, and highly frustrated clients who receive no feedback.

To overcome these connectivity barriers, you must transition your flat-PHP architecture from a synchronous "direct-dispatch" model to a resilient, asynchronous, transaction-safe queue. In this decoupled approach, when a customer completes a booking, your front-end script does not trigger the WhatsApp API directly. Instead, it logs the message payload into a dedicated MySQL outbox table and returns an immediate success page to the user. A lightweight background CLI worker, executed via a local server-side cron job, constantly polls this database queue, attempts delivery, handles API failures, and schedules automatic retries using an exponential backoff algorithm. If the regional fiber connection is cut, the background worker safely pauses, retaining all booking notifications in the secure MySQL database. The moment internet connectivity is restored, the queue resumes processing, flushing all pending confirmations automatically without human intervention.

Let's define the database structure for our highly resilient outbox queue:


CREATE TABLE `whatsapp_outbox` (
  `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
  `recipient_phone` varchar(20) NOT NULL,
  `message_type` enum('template','text','document') NOT NULL DEFAULT 'template',
  `payload` text NOT NULL,
  `status` enum('pending','sending','sent','failed') NOT NULL DEFAULT 'pending',
  `retry_count` int(11) NOT NULL DEFAULT '0',
  `max_retries` int(11) NOT NULL DEFAULT '5',
  `next_attempt_at` datetime NOT NULL,
  `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `updated_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`),
  KEY `idx_status_next_attempt` (`status`,`next_attempt_at`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

Here is an expert-level CLI worker script (cron-whatsapp-worker.php) that handles queue polling, handles errors, and executes the delivery loop with exponential backoff:


<?php
// cron-whatsapp-worker.php - Run every minute via server cron: * * * * * php /path/to/cron-whatsapp-worker.php

// Prevent script timeouts in CLI mode
set_time_limit(0);
ini_set('memory_limit', '128M');

require_once __DIR__ . '/db-connect.php'; // Includes secure PDO connection $pdo
require_once __DIR__ . '/whatsapp-helper.php'; // Includes sendWhatsAppTemplateMessage() etc.

// 1. Fetch pending messages ready for processing
$now = date('Y-m-d H:i:s');
$stmt = $pdo->prepare("
    SELECT * FROM whatsapp_outbox 
    WHERE status = 'pending' AND next_attempt_at <= :now 
    LIMIT 20
");
$stmt->execute(['now' => $now]);
$messages = $stmt->fetchAll(PDO::FETCH_ASSOC);

if (empty($messages)) {
    exit; // Nothing to process
}

foreach ($messages as $msg) {
    // Mark as sending to prevent duplicate processing by concurrent threads
    $pdo->prepare("UPDATE whatsapp_outbox SET status = 'sending' WHERE id = :id")->execute(['id' => $msg['id']]);

    $payload = json_decode($msg['payload'], true);
    
    // 2. Attempt API transmission
    if ($msg['message_type'] === 'template') {
        $result = sendWhatsAppTemplateMessage($msg['recipient_phone'], $payload['template_name'], $payload['parameters']);
    } else {
        // Standard text or media messages
        $result = sendWhatsAppTextMessage($msg['recipient_phone'], $payload['text']);
    }

    if ($result['success']) {
        // 3. Success - Update status and record Meta message ID
        $pdo->prepare("
            UPDATE whatsapp_outbox 
            SET status = 'sent', updated_at = NOW() 
            WHERE id = :id
        ")->execute(['id' => $msg['id']]);
    } else {
        // 4. Failure - Calculate exponential backoff: 2^retry_count * 60 seconds (1m, 2m, 4m, 8m, 16m)
        $nextRetryCount = $msg['retry_count'] + 1;
        
        if ($nextRetryCount >= $msg['max_retries']) {
            // Hard failure - Stop retrying to avoid spamming or wasting API credits
            $pdo->prepare("
                UPDATE whatsapp_outbox 
                SET status = 'failed', retry_count = :retries, updated_at = NOW() 
                WHERE id = :id
            ")->execute([
                'retries' => $nextRetryCount,
                'id' => $msg['id']
            ]);
            
            // Alert administrators of systemic network blockages or invalid numbers
            error_log("WhatsApp Delivery Failed permanently for Booking Phone: " . $msg['recipient_phone']);
        } else {
            $delaySeconds = pow(2, $nextRetryCount) * 60;
            $nextAttempt = date('Y-m-d H:i:s', time() + $delaySeconds);
            
            $pdo->prepare("
                UPDATE whatsapp_outbox 
                SET status = 'pending', retry_count = :retries, next_attempt_at = :next_attempt, updated_at = NOW() 
                WHERE id = :id
            ")->execute([
                'retries' => $nextRetryCount,
                'next_attempt' => $nextAttempt,
                'id' => $msg['id']
            ]);
        }
    }
}

What is the structural difference between WhatsApp Session Messages and Template Messages, and how do you programmatically route them in flat-PHP?

Meta enforces a strict conversational policy to protect WhatsApp users from spam, separating communication into two distinct categories: Template Messages (also known as Highly Structured Messages or HSMs) and Session Messages (or Customer Service Messages). A robust flat-PHP routing engine must automatically distinguish between these two modes to optimize messaging costs and ensure API compliance.

A Template Message is a pre-approved, highly regulated notification format used to initiate conversations or resume interactions outside Meta's strict 24-hour "customer service window." Any message sent by a business to a customer who has not messaged the business in the last 24 hours must be an approved Template Message. These templates contain structural placeholders (e.g., {{1}}, {{2}}) and support buttons, but cannot contain arbitrary free-form text. Meta charges for template messages based on their category (Utility, Marketing, or Authentication) and the customer's country code (e.g., Indian templates are significantly cheaper than European ones). Conversely, a Session Message is a completely free-form message sent within a 24-hour window opened when the customer sends an inbound message. Within this active 24-hour session, businesses can send arbitrary text, files, and custom interactive list menus without pre-approval, and there is no per-message charge for these session messages under Meta's direct Cloud API tier.

Here is a structural comparison between the two messaging types:

Parameter	Template Messages (HSMs)	Session Messages
Initiator	Business-initiated (any time) or resumed after 24 hours.	Customer-initiated (inbound triggers the window).
Approval Required	Yes, must be pre-approved inside the Meta Business Manager.	No, supports any custom conversational text or media.
Meta Pricing	Charged per conversation category (Utility, Marketing, etc.).	Free tier (up to 1,000 conversations/month, then session rate).
Interactive Assets	Buttons (Quick Reply, Call-to-Action) predefined in templates.	Dynamic lists, radio button rows, dynamic quick replies.
Ideal Use Case	Booking confirmations, payment reminders, immediate alerts.	Real-time support, custom itinerary planning, customer chat.

To automate routing in flat-PHP, write a utility function that dynamically checks a user's conversational record. The function queries the database to compare the timestamp of the last customer inbound message with the current system time. If the difference is less than 24 hours, it calls the lightweight, free-form Session Message API. If the window has expired, it automatically constructs a Template Message API call to re-engage the customer safely:


<?php
// message-router.php - Dynamic Session vs Template Routing

/**
 * Route a message programmatically based on the 24-hour session window
 *
 * @param PDO $pdo Active database connection
 * @param int $customerId Customer database ID
 * @param string $textContent Fallback text for session message
 * @param string $templateName Target template name for out-of-window contacts
 * @param array $templateParams Parameters for the template
 * @return array Status array
 */
function routeWhatsAppCommunication(PDO $pdo, int $customerId, string $textContent, string $templateName, array $templateParams): array {
    // 1. Fetch customer phone and the last inbound message timestamp
    $stmt = $pdo->prepare("SELECT phone, last_inbound_at FROM customers WHERE id = :id");
    $stmt->execute(['id' => $customerId]);
    $customer = $stmt->fetch(PDO::FETCH_ASSOC);

    if (!$customer) {
        return ['success' => false, 'error' => 'Customer not found'];
    }

    $phone = preg_replace('/[^0-9]/', '', $customer['phone']);
    $lastInboundTime = $customer['last_inbound_at'] ? strtotime($customer['last_inbound_at']) : 0;
    $currentTime = time();
    
    // Calculate difference in seconds (86,400 seconds = 24 hours)
    $secondsSinceLastInbound = $currentTime - $lastInboundTime;
    $isSessionWindowActive = ($secondsSinceLastInbound < 86400);

    if ($isSessionWindowActive) {
        // 2. Active Session - Send free-form text message (Zero Meta Fee)
        return sendWhatsAppSessionTextMessage($phone, $textContent);
    } else {
        // 3. Session Expired - Send pre-approved Template (Standard Meta Utility Fee)
        return sendWhatsAppTemplateMessage($phone, $templateName, $templateParams);
    }
}

/**
 * Direct Session Text API Sender
 */
function sendWhatsAppSessionTextMessage(string $phone, string $text): array {
    $accessToken = getenv('WHATSAPP_API_TOKEN');
    $phoneNumberId = getenv('WHATSAPP_PHONE_NUMBER_ID');
    $url = "https://graph.facebook.com/v19.0/{$phoneNumberId}/messages";

    $payload = [
        'messaging_product' => 'whatsapp',
        'recipient_type' => 'individual',
        'to' => $phone,
        'type' => 'text',
        'text' => [
            'preview_url' => false,
            'body' => $text
        ]
    ];

    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        "Authorization: Bearer {$accessToken}",
        "Content-Type: application/json"
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    $result = json_decode($response, true);
    if ($httpCode >= 200 && $httpCode < 300) {
        return ['success' => true, 'type' => 'session', 'id' => $result['messages'][0]['id']];
    }
    return ['success' => false, 'error' => $result['error']['message'] ?? 'Session message failed'];
}

How do you parse complex interactive button responses and quick replies from the WhatsApp webhook payload using flat-PHP?

One of the strongest advantages of the WhatsApp Cloud API is its support for interactive messaging assets, including call-to-action buttons, quick replies, and dropdown list menus. These interactive elements allow a user in Ladakh to book tours, select pickup locations, or confirm itineraries with a single tap, bypassing complex textual typing over slow networks. However, handling the payload returned when a user taps these components requires careful navigation through a highly nested JSON structure in your webhook script.

When a user taps an interactive button or list item, Meta delivers an HTTP POST request to your webhook with a specific JSON structure. In flat-PHP, you must read this payload, check for the presence of the 'interactive' key, and parse the payload depending on whether it is a 'button_reply' (from quick replies) or a 'list_reply' (from dropdown lists). Both interactive components return a developer-defined 'id' and a user-facing 'title', allowing you to trigger customized business logic in your booking system, such as updating travel records or dispatching specific PDF travel permits.

Here is an example of the nested JSON payload sent to your webhook when a user taps an interactive Quick Reply button:


{
  "object": "whatsapp_business_account",
  "entry": [
    {
      "id": "109848574892019",
      "changes": [
        {
          "value": {
            "messaging_product": "whatsapp",
            "metadata": {
              "display_phone_number": "15550100000",
              "phone_number_id": "104928475928374"
            },
            "contacts": [
              {
                "profile": { "name": "Rigzin Dorje" },
                "wa_id": "919876543210"
              }
            ],
            "messages": [
              {
                "from": "919876543210",
                "id": "ABGGFlAYVTYyAgo-AM177b9F5N5c",
                "timestamp": "1716962304",
                "type": "interactive",
                "interactive": {
                  "type": "button_reply",
                  "button_reply": {
                    "id": "confirm_nubra_pickup_yes",
                    "title": "Yes, Confirm"
                  }
                }
              }
            ]
          },
          "field": "messages"
        }
      ]
    }
  ]
}

To process this payload inside your flat-PHP webhook listener, use a highly structured routing method that decodes the payload, safely inspects the array keys, and routes the actions using a switch-case statement, as shown in this professional example:


<?php
// webhook-interactive-handler.php - Parsing Webhook Responses

$rawBody = file_get_contents('php://input');
$payload = json_decode($rawBody, true);

// 1. Verify this is a message payload
if (isset($payload['entry'][0]['changes'][0]['value']['messages'][0])) {
    $message = $payload['entry'][0]['changes'][0]['value']['messages'][0];
    $customerPhone = $message['from']; // Number of the user who tapped the button
    
    // Update customer activity time in your local database
    updateCustomerActivityTime($customerPhone);

    // 2. Detect interactive type
    if ($message['type'] === 'interactive') {
        $interactive = $message['interactive'];
        
        if ($interactive['type'] === 'button_reply') {
            // Process Quick Reply Button Tap
            $buttonId = $interactive['button_reply']['id'];
            $buttonTitle = $interactive['button_reply']['title'];
            
            handleButtonResponse($customerPhone, $buttonId, $buttonTitle);
        } elseif ($interactive['type'] === 'list_reply') {
            // Process Dropdown List Selection
            $listId = $interactive['list_reply']['id'];
            $listTitle = $interactive['list_reply']['title'];
            
            handleListResponse($customerPhone, $listId, $listTitle);
        }
    }
}

/**
 * Execute custom booking logic based on specific interactive button IDs
 */
function handleButtonResponse(string $phone, string $buttonId, string $title) {
    global $pdo; // Assumes a global PDO connection

    switch ($buttonId) {
        case 'confirm_nubra_pickup_yes':
            // 1. Update status in database
            $stmt = $pdo->prepare("
                UPDATE bookings 
                SET status = 'pickup_confirmed', updated_at = NOW() 
                WHERE customer_phone = :phone AND status = 'pending_pickup'
            ");
            $stmt->execute(['phone' => $phone]);

            // 2. Dispatch a textual confirmation immediately
            sendWhatsAppTextMessage($phone, "Thank you! Your pickup in Nubra is confirmed. Our driver will contact you 1 hour prior.");
            break;

        case 'cancel_booking_request':
            // Update status to canceled
            $stmt = $pdo->prepare("UPDATE bookings SET status = 'canceled' WHERE customer_phone = :phone");
            $stmt->execute(['phone' => $phone]);
            
            sendWhatsAppTextMessage($phone, "Your request to cancel the tour booking has been received. Our team will contact you within 24 hours regarding refunds via bkbtechies@gmail.com.");
            break;

        default:
            // Log unhandled interactive action
            error_log("Unhandled interactive button click: {$buttonId} from {$phone}");
            break;
    }
}

How should media files (such as PDF tour vouchers or JPEG permits) be uploaded and sent via the WhatsApp Cloud API using raw cURL in flat-PHP?

Providing tourists in Ladakh with digital copies of their tour vouchers, accommodation vouchers, and Inner Line Permits (ILPs) directly on WhatsApp is a massive operational asset. It ensures travelers have local access to highly critical PDFs and images even when moving through isolated valleys without internet. To send media files using the WhatsApp Business Cloud API, you can either reference a publicly accessible URL or upload the binary data directly to Meta's servers to obtain a secure media_id.

For standard vouchers, referencing a public, secure URL is the easiest and most computationally efficient strategy. Your flat-PHP script constructs a cURL request containing the direct CDN URL of the PDF voucher. When WhatsApp receives this request, it downloads the media from your server, encrypts it, and delivers it to the customer. However, for sensitive files like state-issued Inner Line Permits containing tourists' passport numbers and residential details, exposing files on public URLs violates privacy compliance. In these security-critical scenarios, you must upload the binary file directly to Meta's secure media servers using a multipart/form-data POST request. Meta processes the document, encrypts it, and returns a unique media_id. Your script then passes this ID in the message payload instead of a URL, ensuring the document is never exposed to the public internet.

Here is an architectural comparison of the two media-delivery strategies:

Criteria	Hosted URL Integration	Meta Direct Media ID Upload
Security & Privacy	Lower. The file must be publicly accessible on your server for Meta to download it.	High. The file is uploaded directly to Meta's secure vault; no public URL is created.
Server Performance	High. Minimal CPU/RAM overhead on your local server; Meta handles the fetching.	Medium. Requires your server to read, load, and transmit the entire binary file.
Implementation Effort	Extremely simple. Standard JSON payload containing a direct link.	More complex. Involves a multi-step upload and message delivery flow.
Best Used For	Public marketing brochures, terms of service PDFs, standard route maps.	Confidential customer permits (ILPs), invoice PDFs, customized vouchers.

Here is the robust flat-PHP implementation showing both direct cURL methods: sending a file via a hosted URL, and uploading a private file to retrieve a media_id for secure distribution:


<?php
// media-sender-helper.php - Production Media API Methods

/**
 * Method 1: Send a document using a secure, hosted public URL
 */
function sendWhatsAppDocumentByUrl(string $phone, string $url, string $filename, string $caption = ''): array {
    $accessToken = getenv('WHATSAPP_API_TOKEN');
    $phoneNumberId = getenv('WHATSAPP_PHONE_NUMBER_ID');
    $apiUrl = "https://graph.facebook.com/v19.0/{$phoneNumberId}/messages";

    $payload = [
        'messaging_product' => 'whatsapp',
        'recipient_type' => 'individual',
        'to' => $phone,
        'type' => 'document',
        'document' => [
            'link' => $url,
            'filename' => $filename,
            'caption' => $caption
        ]
    ];

    $ch = curl_init($apiUrl);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        "Authorization: Bearer {$accessToken}",
        "Content-Type: application/json"
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    $result = json_decode($response, true);
    if ($httpCode >= 200 && $httpCode < 300) {
        return ['success' => true, 'id' => $result['messages'][0]['id']];
    }
    return ['success' => false, 'error' => $result['error']['message'] ?? 'Failed to send document URL'];
}

/**
 * Method 2 (Part A): Upload a sensitive private document to Meta's media repository
 */
function uploadPrivateMediaToMeta(string $filePath, string $mimeType): ?string {
    $accessToken = getenv('WHATSAPP_API_TOKEN');
    $phoneNumberId = getenv('WHATSAPP_PHONE_NUMBER_ID');
    $url = "https://graph.facebook.com/v19.0/{$phoneNumberId}/media";

    if (!file_exists($filePath)) {
        error_log("Error: File not found at path: {$filePath}");
        return null;
    }

    // Prepare the multipart file payload using CURLFile
    $cf = new CURLFile($filePath, $mimeType, basename($filePath));
    $payload = [
        'file' => $cf,
        'messaging_product' => 'whatsapp'
    ];

    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        "Authorization: Bearer {$accessToken}"
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    $result = json_decode($response, true);
    if ($httpCode >= 200 && $httpCode < 300 && isset($result['id'])) {
        return $result['id']; // Returns the Meta Media ID
    }
    error_log("Meta Media Upload Error: " . ($result['error']['message'] ?? 'Unknown API error'));
    return null;
}

/**
 * Method 2 (Part B): Send a document using a secure Meta Media ID
 */
function sendWhatsAppDocumentByMediaId(string $phone, string $mediaId, string $filename, string $caption = ''): array {
    $accessToken = getenv('WHATSAPP_API_TOKEN');
    $phoneNumberId = getenv('WHATSAPP_PHONE_NUMBER_ID');
    $apiUrl = "https://graph.facebook.com/v19.0/{$phoneNumberId}/messages";

    $payload = [
        'messaging_product' => 'whatsapp',
        'recipient_type' => 'individual',
        'to' => $phone,
        'type' => 'document',
        'document' => [
            'id' => $mediaId,
            'filename' => $filename,
            'caption' => $caption
        ]
    ];

    $ch = curl_init($apiUrl);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        "Authorization: Bearer {$accessToken}",
        "Content-Type: application/json"
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    $result = json_decode($response, true);
    if ($httpCode >= 200 && $httpCode < 300) {
        return ['success' => true, 'id' => $result['messages'][0]['id']];
    }
    return ['success' => false, 'error' => $result['error']['message'] ?? 'Failed to send media message'];
}

To ensure high deliverability and compliant usage of the WhatsApp Business API in Indian tourism business operations, always maintain strict adherence to Meta's opt-in policies. Tour operators must obtain explicit customer consent (via a checkbox during the booking process on your flat-PHP website) before initiating any template dispatches. Additionally, configure active monitoring on your webhook handler to log user opt-outs (e.g., if a customer responds with 'STOP') and flag their database records immediately to prevent unsolicited messages. Standardizing on email-only routes (mailto:bkbtechies@gmail.com) for complex cancellation or refund negotiations protects both the business and travelers, keeping communication formal, legally secure, and highly transparent.