u/SumGeniusAI

Quick context: last November I burned 2 months and 11 submissions getting HUMAN_AGENT approved for our Meta app. Earlier this month I submitted whatsapp_business_messaging and whatsapp_business_management together and both got approved on the first try.

Sharing the full breakdown because I would have killed for this post 6 months ago.

The two permissions + what each actually unlocks

- whatsapp_business_messaging — send/receive via Cloud API, interactive buttons, template sends, mark-as-read, media download.

- whatsapp_business_management — Embedded Signup completion (webhook subscribe + phone number /register), template CRUD (/{WABA_ID}/message_templates).

You almost certainly need both. Embedded Signup does not actually activate the number without whatsapp_business_management calling /register.

Description structure that worked

Both permission descriptions used the same 6-section skeleton:

1. HOW WE USE THIS PERMISSION - numbered list of specific API endpoints + what each does
2. AUTOMATED WORKFLOW - narrative walkthrough of a real customer conversation, start to finish
3. WHY THIS PERMISSION IS NECESSARY - bullet list of things you literally cannot do without it
4. HOW IT ADDS VALUE - who benefits, what outcome
5. COMPLIANCE - 24h window enforcement, opt-out handling, multi-tenant isolation, data storage
6. TECHNICAL IMPLEMENTATION - file names, actual endpoints, how the flow routes

The TECHNICAL IMPLEMENTATION section is the one most devs skip and I think it carries a lot of weight. Naming real files (WhatsAppAPI.php,  WhatsAppHandler.php), real tables (meta_messages), and saying "the 24h window is calculated from MAX(created_at) of inbound messages" reads like a real engineer wrote it, not a marketing dept.

Screencasts: no captions, no voiceover

Both videos were silent screen recordings. Our portal (ChatGenius) is in English and the UI is self-explanatory, so we let the flow tell the story. Zero narration. Both videos approved without complaint.

Video 1: whatsapp_business_management

1. Start from dashboard (WhatsApp already disconnected beforehand)
2. Connect section → click Connect WhatsApp
3. Full Embedded Signup popup: select WABA, select phone number, grant permissions, finish
4. Show connected status
5. Navigate to WhatsApp Templates
6. New Template → name (order_follow_up), category (UTILITY), language, header, body with {{customer_name}} and {{order_number}}, example values
7. Submit for Review
8. Template appears with PENDING badge

Video 2: whatsapp_business_messaging

1. Start from dashboard
2. Full Embedded Signup flow through to completion (showed the whole thing again, even though it was in video 1)
3. Account connected
4. Navigate to Conversations
5. Open WhatsApp in a new window, ChatGenius inbox showing behind, message the connected business number
6. Message arrives in inbox, AI auto-replies in real time
7. Couple more back-and-forth messages, showing AI handling each and realtime messages coming in
8. Open the conversation thread, full message history with timestamps

 

That's it. No annotations, no pointer highlights, no voiceover. 

Disconnected-before-recording is the #1 thing

I disconnected the WhatsApp account before recording so the reviewer sees the full Embedded Signup from scratch. This was the single biggest unlock for HUMAN_AGENT after 10 rejections - if the reviewer cannot see the complete OAuth/connect flow, they reject. Same principle applies here.

One weird thing I noticed

For IG/FB permissions, Meta lets you write custom reviewer instructions ("steps to reproduce"). For these two WhatsApp permissions, I could not find that field during submission. Either Meta reused prior app review instructions, or they do not collect them for these specific perms. My detailed description + screencast was all I submitted.

If anyone knows definitively, drop a comment.

TL;DR for first-try approval:

1. Submit both perms together with matching descriptions
2. 6-section structure, with real file names/endpoints in Technical Implementation
3. Disconnect everything before recording - show a fresh Embedded Signup
4. Silent screen recording is fine if your portal is in English and the UI is clear
5. Show the full journey: connect → use feature → show result in your platform (actual customer experience)

Happy to share the actual description text I submitted if anyone is mid-review. Good luck out there. 

Quick context: last November I burned 2 months and 11 submissions getting HUMAN_AGENT approved for our Meta app. Earlier this month I submitted whatsapp_business_messaging and whatsapp_business_management together and both got approved on the first try.

Sharing the full breakdown because I would have killed for this post 6 months ago.

The two permissions + what each actually unlocks

- whatsapp_business_messaging — send/receive via Cloud API, interactive buttons, template sends, mark-as-read, media download.

- whatsapp_business_management — Embedded Signup completion (webhook subscribe + phone number /register), template CRUD (/{WABA_ID}/message_templates).

You almost certainly need both. Embedded Signup does not actually activate the number without whatsapp_business_management calling /register.

Description structure that worked

Both permission descriptions used the same 6-section skeleton:

1. HOW WE USE THIS PERMISSION - numbered list of specific API endpoints + what each does
2. AUTOMATED WORKFLOW - narrative walkthrough of a real customer conversation, start to finish
3. WHY THIS PERMISSION IS NECESSARY - bullet list of things you literally cannot do without it
4. HOW IT ADDS VALUE - who benefits, what outcome
5. COMPLIANCE - 24h window enforcement, opt-out handling, multi-tenant isolation, data storage
6. TECHNICAL IMPLEMENTATION - file names, actual endpoints, how the flow routes

The TECHNICAL IMPLEMENTATION section is the one most devs skip and I think it carries a lot of weight. Naming real files (WhatsAppAPI.php,  WhatsAppHandler.php), real tables (meta_messages), and saying "the 24h window is calculated from MAX(created_at) of inbound messages" reads like a real engineer wrote it, not a marketing dept.

Screencasts: no captions, no voiceover

Both videos were silent screen recordings. Our portal (ChatGenius) is in English and the UI is self-explanatory, so we let the flow tell the story. Zero narration. Both videos approved without complaint.

Video 1: whatsapp_business_management

1. Start from dashboard (WhatsApp already disconnected beforehand)
2. Connect section → click Connect WhatsApp
3. Full Embedded Signup popup: select WABA, select phone number, grant permissions, finish
4. Show connected status
5. Navigate to WhatsApp Templates
6. New Template → name (order_follow_up), category (UTILITY), language, header, body with {{customer_name}} and {{order_number}}, example values
7. Submit for Review
8. Template appears with PENDING badge

Video 2: whatsapp_business_messaging

1. Start from dashboard
2. Full Embedded Signup flow through to completion (showed the whole thing again, even though it was in video 1)
3. Account connected
4. Navigate to Conversations
5. Open WhatsApp in a new window, ChatGenius inbox showing behind, message the connected business number
6. Message arrives in inbox, AI auto-replies in real time
7. Couple more back-and-forth messages, showing AI handling each and realtime messages coming in
8. Open the conversation thread, full message history with timestamps

 

That's it. No annotations, no pointer highlights, no voiceover. 

Disconnected-before-recording is the #1 thing

I disconnected the WhatsApp account before recording so the reviewer sees the full Embedded Signup from scratch. This was the single biggest unlock for HUMAN_AGENT after 10 rejections - if the reviewer cannot see the complete OAuth/connect flow, they reject. Same principle applies here.

One weird thing I noticed

For IG/FB permissions, Meta lets you write custom reviewer instructions ("steps to reproduce"). For these two WhatsApp permissions, I could not find that field during submission. Either Meta reused prior app review instructions, or they do not collect them for these specific perms. My detailed description + screencast was all I submitted.

If anyone knows definitively, drop a comment.

TL;DR for first-try approval:

1. Submit both perms together with matching descriptions
2. 6-section structure, with real file names/endpoints in Technical Implementation
3. Disconnect everything before recording - show a fresh Embedded Signup
4. Silent screen recording is fine if your portal is in English and the UI is clear
5. Show the full journey: connect → use feature → show result in your platform (actual customer experience)

Happy to share the actual description text I submitted if anyone is mid-review. Good luck out there.