Create Secure Interactive Applications with WhatsApp Flows End-to-End Encryption

Description

WhatsApp Flows Encrypted Data Exchange Workflow

Summary
This workflow enables secure end-to-end encrypted data exchange with WhatsApp Flows for interactive applications inside Whatsapp. It implements the WhatsApp Business Encryption protocol using RSA for key exchange and AES-GCM for payload encryption, providing a secure channel for sensitive data transmission while interfacing with WhatsApp's Business API. This follows the official WhatsApp Business Encryption specifications to establish an encrypted GraphQL-powered data exchange channel between your business and the WhatsApp consumer client.

How It Works

Encryption Flow
Webhook Reception: Receives encrypted data from WhatsApp containing:
encrypted_flow_data: The AES-encrypted payload
encrypted_aes_key: The RSA-encrypted AES key
initial_vector: Initialization vector for AES decryption

Decryption Process:
The workflow decrypts the AES key using an RSA private key
Then uses this AES key to decrypt the payload data
The inverted IV is used for response encryption

Data Processing:
The workflow parses the decrypted JSON data
Routes requests based on the screen parameter.


Response Generation:
Generates appropriate response data based on the request type
Encrypts the response using the same AES key and inverted IV
Returns the base64-encoded encrypted response

Key Components
Webhook Endpoint**: Entry point for encrypted WhatsApp requests
Decryption Pipeline**: RSA and AES decryption components
Business Logic Router**: Screen-based routing for different functionality
Encryption Pipeline**: Secure response encryption

How to Use

Deploy the Workflow:
Import the workflow JSON into your n8n instance

Set Up WhatsApp Integration:
Configure your WhatsApp Business API to send requests to your n8n webhook URL
Ensure your WhatsApp integration is set up to encrypt data using the public key pair of the private key used in this workflow

Test the Flow:
Send an encrypted test message from WhatsApp to verify connectivity
Check if appointment data is being retrieved correctly
Validate that seat selection is functioning as expected

Production Use:
Monitor the workflow performance in production
Set up error notification if needed

Requirements

Authentication Keys

RSA Private Key: Required for decrypting the AES key (included in the workflow)
WhatsApp Business Public Key: Must be registered with the WhatsApp Business API
PostgreSQL Credentials: For accessing appointment data from the database

WhatsApp Business Encryption Setup
As specified in the WhatsApp Business Encryption documentation:

Generate a 2048-bit RSA Key Pair:

The private key remains with your business (used in this workflow)
The public key is shared with WhatsApp


Register the Public Key with WhatsApp:

Use the WhatsApp Cloud API to register your public key
Set up the public key using the /v17.0/{WhatsApp-Business-Account-ID}/whatsapp_business_encryption endpoint


Key Registration API Call:
POST /v17.0/{WhatsApp-Business-Account-ID}/whatsapp_business_encryption
{
"business_public_key": "YOUR_PUBLIC_KEY"
}

Verification:

Verify your public key is registered using a GET request to the same endpoint
Ensure the key status is "active"