4: Credentials and shielding
phloWA touches a real phone number and a real account session. The rule for the whole platform is simple: no secrets and no numbers in the repository, ever.
4.1: Where secrets live
security/creds resolves credentials from, in order, data/creds.ini and environment variables, and wraps them so they do not print by accident:
[whatsapp]
url = http://127.0.0.1:8081
secret = a-long-random-shared-secretprop endpoint => (string)(%creds->whatsapp?->url ?? '')
prop secret => (string)(%creds->whatsapp?->secret ?? '')The same values can come from PHLO__whatsapp__url and PHLO__whatsapp__secret env vars instead, which is what you use in production.
4.2: What to gitignore
| Path | Why |
|---|---|
data/creds.ini |
the gateway URL and secret |
.env |
environment secrets |
.wwebjs_auth/, .wwebjs_cache/ |
the linked WhatsApp session |
data/received.json, uploads |
real numbers and message bodies |
Commit a creds.ini.example with placeholders so others know what to fill in.
4.3: Inert without credentials
Design the app so it is safe with no credentials: if the secret is empty, sends become a "not configured" toast and the webhook rejects every request. The demo deploys publicly in exactly this state and only becomes live once you add your own creds.ini.