3: Receiving messages

The gateway delivers each inbound message by POSTing to a webhook route in your app. You verify the shared secret, then do whatever you like with the message.

3.1: The webhook route

route both POST receive {
    $given = (string)($_SERVER['HTTP_SECRET'] ?? '')
    if ($this->secret === '' || !hash_equals($this->secret, $given)) return output(['error' => 'unauthorized'], code: 401)
    $data = json_decode((string)file_get_contents('php://input'), true) ?: []
    type_message::create(sender: (string)($data['from'] ?? ''), kind: (string)($data['type'] ?? 'text'), body: (string)($data['body'] ?? ''), ts: time())
    return output(['ok' => true])
}

Two details matter:

• Use hash_equals for the secret check, never ==, to avoid timing leaks.
• Read the raw body with php://input; the gateway sends JSON, not a form.

3.2: Acting on a message

Inside the webhook you have the full app available. Log it (as above), auto-reply with the WhatsApp resource, route it to a human, or fan it out over phloWS to a live inbox. The demo logs to a JSON model and renders an Inbox; pointing the gateway's webhook at /receive is all it takes for messages to appear.