EN | NL | δΈ­ζ–‡
Get started

4: Credentials and shielding

phloWA touches a real phone number and a real account session. The rule for the whole platform is simple: no secrets and no numbers in the repository, ever.

4.1: Where secrets live

security/creds resolves credentials from, in order, data/creds.ini and environment variables, and wraps them so they do not print by accident:

[whatsapp]
url    = http://127.0.0.1:8081
secret = a-long-random-shared-secret
prop endpoint => (string)(%creds->whatsapp?->url ?? '')
prop secret   => (string)(%creds->whatsapp?->secret ?? '')

The same values can come from PHLO__whatsapp__url and PHLO__whatsapp__secret env vars instead, which is what you use in production.

4.2: What to gitignore

Path Why
data/creds.ini the gateway URL and secret
.env environment secrets
.wwebjs_auth/, .wwebjs_cache/ the linked WhatsApp session
data/received.json, uploads real numbers and message bodies

Commit a creds.ini.example with placeholders so others know what to fill in.

4.3: Inert without credentials

Design the app so it is safe with no credentials: if the secret is empty, sends become a "not configured" toast and the webhook rejects every request. The demo deploys publicly in exactly this state and only becomes live once you add your own creds.ini.

We use essential cookies to make this site work. With your permission we also use analytics to improve the site.