Is the WhatsApp connection official?

No. OpenClaw's WhatsApp integration uses Baileys, an unofficial library that emulates WhatsApp Web. It is not part of the official WhatsApp Business API. This means it's more fragile — WhatsApp may require re-authentication periodically. For a more stable, official channel, use Telegram, Slack, or Discord.

Will WhatsApp ban my account for using OpenClaw?

There's a small risk. WhatsApp's terms of service prohibit unofficial API usage, and automated messaging can trigger account restrictions. Using your personal WhatsApp number is riskier than a dedicated one. To minimize risk, don't send bulk messages — use it only for personal back-and-forth conversations.

Why does the QR code expire before I can scan it?

The QR code refreshes every 60 seconds. If it expires, wait for the new code to appear in the terminal logs — it regenerates automatically. Make sure you're watching `openclaw logs --filter whatsapp` in your terminal and open WhatsApp → Settings → Linked Devices on your phone before the QR appears.

Can I use my existing personal WhatsApp number?

Technically yes, but not recommended. If the integration is detected as automated activity, your personal number could be restricted. Best practice is to get a dedicated phone number (a cheap prepaid SIM or Google Voice) for the bot, keeping your personal number completely separate.

WhatsApp – HowOpenClaw

WhatsApp integration uses Baileys, an unofficial WhatsApp Web API library. It works by emulating a web session — the same way WhatsApp Web works in your browser. This means it's more fragile than official integrations and will occasionally require re-authentication.

If stability is a priority, use Telegram or iMessage instead. If WhatsApp is where you actually communicate, here's how to set it up. WhatsApp works on any supported OpenClaw host (Mac, Linux, Windows, or a VPS) and adds no cost on top of your normal AI API spend — typically $1–10/month.

Create the session directory

Do this first, before anything else. WhatsApp needs this directory to store its credentials:

mkdir -p ~/.openclaw/sessions/whatsapp

If you skip this step, authentication will fail with a confusing error.

Configure OpenClaw

Add the WhatsApp channel to ~/.openclaw/openclaw.json:

{
  "channels": {
    "whatsapp": {
      "enabled": true,
      "library": "baileys",
      "dmPolicy": "allowlist",
      "allowedContacts": [
        "+15551234567"
      ],
      "groupPolicy": "mention",
      "requireMention": true,
      "sessionPath": "~/.openclaw/sessions/whatsapp"
    }
  }
}

Scan the QR code

Restart the gateway and watch the logs:

openclaw gateway restart
openclaw logs --filter whatsapp

A QR code will appear in your terminal. Scan it with WhatsApp on your phone:

Open WhatsApp → Settings → Linked Devices
Tap Link a Device
Scan the QR code

The session is stored in your sessionPath directory. You won't need to scan again unless the session expires.

Test it

Send a message from an allowed contact — the agent should reply within a few seconds.

If it doesn't respond:

openclaw logs --filter whatsapp

Phone Number Formatting

Same rule as iMessage: use E.164 format with no spaces.

Format	Works?
`+15551234567`	✅
`+1 555 123 4567`	❌
`005551234567`	❌

Formatting errors are the leading cause of allowlist failures.

Key Configuration Options

Setting	Purpose
`dmPolicy`	Who can message the agent (allowlist/pairing/open)
`groupPolicy`	Group chat behavior (mention/always/never)
`requireMention`	Require @mention in groups
`allowedContacts`	Phone number whitelist
`sessionPath`	Where to store session data

Group Chats

Group echo suppression is now smarter: OpenClaw tracks recent gateway-sent message IDs and only suppresses matching echoes. Owner commands like /status, /new, and /activation from linked-account traffic are preserved and no longer incorrectly filtered.

Reply-to-bot detection in groups also works reliably with linked accounts. OpenClaw unwraps botInvokeMessage payloads and reads selfLid from creds.json, so reply-based mentions reach the bot in linked-account group chats.

Message Reactions

As of v2026.4.12, message reactions are now properly routed through the gateway-owned action path. This means:

Reactions work in both direct messages and group chats
The live WhatsApp listener is used in both contexts
Reaction handling matches the reliability of standard message sending (message send)
Reply-based polling and sentiment reactions work consistently

The gateway now routes message react through the same reliable path as message send and message poll, ensuring reactions stay synchronized with your live WhatsApp session.

CLI Media Sends (v2026.4.12)

Sending files via the CLI with --media is now fixed. Gateway-mode outbound sends route through the correct channel sendMedia path and preserve media access context — previously, WhatsApp document and attachment sends would silently drop the file while still delivering the caption.

openclaw send --channel whatsapp --to "+15551234567" --media /path/to/file.pdf "Here's the doc"

Auto-Reply and Media Attachments (v2026.4.12)

Image attachment notes are now preserved after media understanding, so image edits keep the real saved media path instead of hallucinating a missing local path. This means:

Your agent can understand image content in auto-reply rules
Edits and modifications to images maintain proper file references
Media understanding doesn't break downstream file operations

Reconnection Stability

As of v2026.4.12, WhatsApp reconnection has been significantly improved:

The blockStreaming setting has been restored and controls streaming behavior
Watchdog timeouts are now reset after reconnect, so quiet chats no longer fall into reconnect loops
Per-account connection ownership is centralized, so reconnects and login recovery stay attached to the live socket
Disconnection and reconnection are more graceful overall

New in v2026.4.15

The pending per-auth credentials save queue is now drained before sockets are reopened. Previously, a reconnect could race against in-flight creds.json writes, causing auth bootstrap to falsely restore from backup and potentially invalidate a valid session. This is fixed — credentials are fully persisted before the new socket is established.

Enable streaming control if needed:

{
  "channels": {
    "whatsapp": {
      "blockStreaming": false
    }
  }
}

Large Media Sends (v2026.4.15)

New in v2026.4.15

Encrypted upload handling for large outbound media sends has been hardened. Buffer spikes and reliability regressions that could affect large file sends are now resolved, making outbound media delivery more stable for large attachments.

Packaged QuickStart Setup (v2026.4.23)

New in v2026.4.23

First-run WhatsApp setup is now kept off the Baileys runtime dependency path, so packaged QuickStart installs can show the WhatsApp setup screen before runtime deps are staged. If your packaged install was getting stuck on the WhatsApp step during onboarding, upgrading to v2026.4.23 resolves it. (Fixes #70932)

Outbound media normalization has also been unified across direct sends and auto-replies — the same path now handles both, eliminating drift between the two delivery modes. Thanks @mcaxtr.

Prompt-Injection Hardening (v2026.4.23)

Security hardening in v2026.4.23

Channel-sourced contact, vCard, and location metadata (names, phone fields, location labels and comments) are no longer inlined into the message body. They are now rendered through a fenced untrusted-metadata JSON block, which limits the blast radius of hidden prompt-injection payloads delivered through contact card or location share messages. No action needed — this applies automatically after upgrade.

Want an official API instead of an unofficial one? Telegram uses Telegram's official Bot API — no QR codes, no session expiry, more reliable.

Privacy-critical communications? Signal keeps messages end-to-end encrypted with no unofficial protocol emulation.

Comparing OpenClaw to alternatives? See OpenClaw vs ChatGPT — WhatsApp integration is a key reason users choose OpenClaw over hosted AI services.

Important Limitations

Unofficial API. WhatsApp doesn't provide an official API for this type of integration. Baileys reverse-engineers the web protocol, which means:

WhatsApp updates can break the integration until Baileys updates
Occasional disconnections are normal
Your account could theoretically be flagged (rare, but possible)

Session file security. The session files in sessionPath contain authentication credentials equivalent to being logged into WhatsApp. Never commit them to version control, never back them up to unencrypted cloud storage.

Multi-device limits. WhatsApp limits linked devices. If you hit the limit, you'll need to unlink another device before the integration works.

Phone offline. Extended periods with your phone offline can cause the session to invalidate, requiring re-authentication.

Re-Authentication

Sessions expire after 2 weeks of inactivity

If you stop using the bot for two weeks, WhatsApp will disconnect the session. You'll see a reconnection prompt in the logs. Fix it with:

openclaw channels login --channel whatsapp

Re-scan the QR code and you're reconnected. This is normal — not a bug.

When the session expires, delete the session files and repeat the QR code scan:

rm -rf ~/.openclaw/sessions/whatsapp/*
openclaw gateway restart
# Watch logs for QR code
openclaw logs --filter whatsapp

Something not working?

Check the troubleshooting guide for common issues with gateway startup, channel connections, and automations.