Step 3 — Generate a Permanent Access Token
Whoxa CRM requires a permanent (non-expiring) access token to call the WhatsApp API on your behalf. Temporary tokens generated on the App Dashboard expire every 24 hours and are not suitable for production use.
Create a System User
- Go to business.facebook.com → Business Settings.
- In the left sidebar, click Users → System Users.
- Click Add and fill in:
- Name: e.g.,
whoxa-crm-system-user - Role: Admin
- Name: e.g.,
- Click Create System User.
Assign WhatsApp Permissions
- Select the newly created System User.
- Click Add Assets.
- Under Apps, select your Meta App created in Step 2.
- Enable the following permissions:
whatsapp_business_messagingwhatsapp_business_management
- Click Save Changes.
Generate the Token
- Still on the System User page, click Generate New Token.
- Select your Meta App from the dropdown.
- Set Token Expiration to Never.
- Select all required permission scopes (see table below).
- Click Generate Token and copy the token immediately — it is shown only once.
Required Permission Scopes
Select all 6 scopes when generating the token. Missing any will break specific features.
| Permission | Required For |
|---|---|
business_management | Accessing Meta Business Manager data |
catalog_management | Creating and syncing Meta product catalogs |
manage_app_solution | Managing app-level configurations |
whatsapp_business_manage_events | Receiving webhook events from Meta |
whatsapp_business_management | Managing WABA, templates, phone numbers |
whatsapp_business_messaging | Sending and receiving WhatsApp messages |
Important: If you only need basic messaging, the minimum is
whatsapp_business_messaging+whatsapp_business_management. But to use Meta Catalog and Template Management, all 6 scopes are required.
Keep this token secure. Anyone with this token can send messages from your WhatsApp Business Account.
Proceed to Step 4 — Configure Webhook URL.