Developers
Developer Overview
Build custom plugins that add new tools and capabilities to the WhatsApp AI agent.
What are plugins?
The AI agent already ships with powerful built-in capabilities — web browsing, code sandboxes, image generation, browser automation, payments, and more. Plugins let you go further by connecting the agent to any external service or API you need.
When a plugin is installed, its tools become available to the agent alongside all built-in tools. The agent can combine them freely — for example, calling your CRM plugin to look up a customer, then using its browser to check a shipping portal, and finally generating a report in a code sandbox. Plugins slot into this ecosystem seamlessly.
How plugins work
- You create a manifest — a JSON file that describes your plugin, its tools, and how to authenticate
- You host an HTTP endpoint that receives tool calls and returns results
- You publish the manifest to the platform
- Organizations install your plugin
- The AI agent can now call your tools during conversations
When the agent decides to use one of your tools (e.g., "look up order status"), the platform sends an HTTP request to your endpoint with the tool name, input data, and context. Your endpoint processes the request and returns the result. The agent then uses the result to continue the conversation.
What you'll need
- A server or serverless function that can handle HTTP POST requests
- Basic knowledge of JSON and REST APIs
- A manifest file describing your plugin (covered in Manifest Reference)
Plugin lifecycle
Development
- Write your manifest file
- Build your HTTP endpoint
- Install the plugin in sandbox mode for testing
- Test with real conversations
Publishing
- Submit your plugin for review
- Once approved, it becomes available for organizations to install
Installation
- An organization admin installs your plugin
- They grant it to specific instances
- The AI agent on those instances can now use your tools
Security
The platform takes security seriously when it comes to plugins:
- Signed tokens — Every tool call includes a signed platform token that your endpoint can verify. This confirms the request is legitimate.
- Scoped access — Plugins only have access to the tools they declare. They can't access other parts of the platform.
- User privacy — When your plugin receives a tool call, it gets a hashed user identifier — never the actual WhatsApp phone number.
- OAuth support — If your plugin needs to access user accounts on external services, the platform handles the full OAuth 2.0 flow.
- Encrypted storage — OAuth tokens and secrets are encrypted at rest using AES-256-GCM.
Next steps
- Plugin Quick Start — Build and install your first plugin
- Manifest Reference — Complete manifest specification
- Authentication — Platform tokens, OAuth, and security
- Testing & Debugging — Test your plugin in sandbox mode