WhatsApp Owner Action Checklist

Owner action required

Unused-number readiness checklist

• Use a WhatsApp-capable number that is not already tied to another active WhatsApp Business setup unless Meta confirms it can be moved safely.
• Confirm the owner can receive SMS or voice verification on the number before starting Meta setup.
• Prepare the business display name before entering Meta setup.
• Keep screenshots focused on status labels and setup progress, with no secret values visible.
• Do not paste customer phone numbers, verification codes, tokens, app secrets, or env values into SmartBiz, ChatGPT, Codex, docs, or screenshots.

Display name

Phone-number registration preparation

• Use a clear business display name that matches the business identity shown in Meta Business settings.
• Avoid claims that imply Meta or WhatsApp approval, partnership, certification, or guaranteed customer outcomes.
• Keep naming consistent with SmartBiz, E STREAM MEDIA EMPIRE, and the intended property-agent workflow.
• SMS / voice verification is OWNER ACTION ONLY and must be completed by Jerry inside Meta, not by Codex.

Webhook readiness

Callback URL

Future Meta WhatsApp webhook callback URL:

https://smartbiz-ai-automation.com/api/meta/whatsapp/webhook

This URL is public routing information only. It is not a token, password, app secret, or verification value.

Secret handling

Verification token and app secret

• Webhook verification token is SECRET / OWNER ACTION ONLY.
• The secret value must be entered only into Meta and Vercel secure fields when a separate owner-approved task allows it.
• Never paste the verification token into chat, docs, reports, screenshots, source files, or commits.
• App secret and signature verification are required for webhook safety, but secret values must never be exposed.

RED / HARD STOP

Actions this page does not perform

• WhatsApp number registration and SMS / voice verification.
• Token or env insertion into Vercel or any other secure runtime.
• WhatsApp Cloud API send test.
• Graph API, Graph API Explorer, or Meta settings changes.
• n8n live connection.
• AI auto-reply enablement.
• Live Messenger or WhatsApp customer messages.

Reply safety

AI and outbound queue remain OFF

• AI reply remains OFF until explicit approval, testing, and enablement.
• Outbound queue remains OFF and cannot send customer messages.
• Human review and handoff remain required before any customer communication is used.
• Future internal testing should validate inbound webhook receipt before any reply workflow is considered.

Evidence checklist

Capture status without secrets

• Phone number added status, with no verification code or customer number exposed.
• Webhook callback configured status, with no token value visible.
• Webhook fields or subscription status, with secret fields hidden or redacted.
• Fail-closed smoke result from SmartBiz after setup, using no real token value in reports.

Browserless checks

What Codex can validate safely

• Public readiness pages load and remain non-functional.
• WhatsApp passive webhook fails closed for missing or invalid token/signature.
• WhatsApp setup routes remain disabled with feature_enabled:false and live_action_performed:false.
• No token fields, phone fields, verification-code fields, live connect forms, or live message buttons appear on public pages.