Access Tokens (Temporary vs Permanent)

There are two types of access tokens used to authenticate WhatsApp Cloud API calls: a temporary token for testing and a permanent system-user token for production. Using the wrong one is the most common reason API calls suddenly stop working.

Temporary access token

Generated directly in the Meta developer dashboard under WhatsApp → API Setup → “Generate access token”. It works immediately but expires in approximately 24 hours. Use only for testing — never in production.

Permanent system-user token

Generated via Meta Business Manager (business.facebook.com):

Open System Users

Go to Business Manager → Settings → Users → System Users.

Create a system user

Create a system user (Admin access recommended).

Generate the token

Click Generate token on that system user, assign the app and required permissions (whatsapp_business_messaging, whatsapp_business_management).

Save it immediately

Copy the token and store it securely — Meta only shows it once.

Verify it

Paste the token into the Meta Access Token Debugger (developers.facebook.com/tools/debug/accesstoken/) to verify it is valid and check its expiry — a permanent token shows “Never” as expiry.

Use the permanent token in all production API calls.

Walkthrough screenshots

Frequently asked

Why did my WhatsApp API stop working overnight?

Almost certainly your temporary access token expired (~24h). Switch to a permanent system-user token for any production use.

How do I get a token that never expires?

Create a system user in Meta Business Manager, generate a token for that system user with the WhatsApp permissions, and use that token in your API calls. It does not expire.

What is a system user?

A non-human admin account in Meta Business Manager used to generate permanent tokens for automated systems (bots, integrations). It is not tied to a personal Facebook account, so it won’t expire when someone leaves the team.

How do I check if my token is valid?

Paste it into the Meta Access Token Debugger at developers.facebook.com/tools/debug/accesstoken/ and click Debug. It shows the token’s expiry, permissions, and whether it is still valid.

Gotchas & common mistakes

Temporary token expires in ~24 hours — the single most common reason integrations break. Always use a system-user token in production.
Token is shown only once — when you generate a system-user token, copy it immediately. If you lose it, you must generate a new one.
Permissions matter — the system user token needs at minimum whatsapp_business_messaging to send messages. Missing permissions cause authentication errors even with a valid token.
Token belongs to the system user, not a person — if you use a personal user token instead, it may stop working if that person’s account changes.

Request Anatomy & API VersioningThe four parts of every WhatsApp Cloud API HTTP request — endpoint, headers, body, and response — and how Meta's API versioning (v21.0, v24.0, etc.) works. Use when a customer asks what the URL structure means, what headers are required, what the version number in the URL does, or what happens when Meta deprecates a version.

⌘I

​Temporary access token

​Permanent system-user token

​Walkthrough screenshots

​Frequently asked

​Gotchas & common mistakes

Temporary access token

Permanent system-user token

Walkthrough screenshots

Frequently asked

Gotchas & common mistakes