Post-deploy setup
Required configuration after deploying wakit on Supabase.
After the initial deploy, you must configure vault secrets that the database triggers need to call Edge Functions.
Vault secrets (required)
Run these SQL commands in the Supabase SQL Editor:
select vault.create_secret(
'https://{SUPABASE_PROJECT_ID}.supabase.co/functions/v1',
'edge_functions_url'
);
select vault.create_secret(
'{SERVICE_ROLE_KEY}',
'edge_functions_token'
);Replace {SUPABASE_PROJECT_ID} and {SERVICE_ROLE_KEY} with your actual values. You can find them in Project Settings > API Keys in the Supabase Dashboard.
Without these secrets, incoming WhatsApp messages will be received by the webhook but will not be processed. The database triggers that forward messages to the agent and dispatcher functions will silently fail.
Edge Functions with external webhooks
Functions that receive requests from external services (Meta, Stripe) must be deployed without JWT verification:
npx supabase functions deploy whatsapp-webhook --no-verify-jwt
npx supabase functions deploy stripe-webhook --no-verify-jwtThe config.toml sets verify_jwt = false for these functions, but the Supabase GitHub Integration may not respect this setting. Deploying via CLI ensures the flag is applied.
Security: access token storage
WhatsApp access tokens (obtained during Embedded Signup) are stored in the organization_secrets table — a separate table with no RLS read policy for authenticated users. Only Edge Functions running with the service_role key can read them.
This means:
- Tokens are never sent to the browser or exposed via the REST API
- Organization members cannot see tokens in the dashboard or via Supabase client queries
- If you need to debug token issues, query the table from the SQL Editor:
select address, value from organization_secrets where key = 'access_token';Monitoring
wakit provides two public endpoints for monitoring your deployment (no authentication required):
Health check
curl https://{YOUR_DOMAIN}/functions/v1/api/pingReturns {"status":"ok","timestamp":"...","db":"connected"} if the API and database are operational. Use this with uptime monitoring tools like Upptime, Better Uptime, or any HTTP checker.
Meta token validation
curl https://{YOUR_DOMAIN}/functions/v1/api/health \
-H "Authorization: Bearer {API_KEY}"Validates each connected WhatsApp number's access token against Meta's Graph API. Returns quality rating and messaging limits per number. Useful for detecting disconnected numbers before they affect message delivery.
Supabase Auth
Enable the authentication providers you want in Authentication > Providers:
- Email — for email/password login and signup
- Google — requires a Google OAuth Client ID and Secret
- GitHub — requires a GitHub OAuth App
Add your domain to Authentication > URL Configuration > Redirect URLs:
https://app.yourdomain.com/**