Skip to content

[Feature]: [Critical] WhatsApp mandatory passkey blocks all device linking — QR and pairing-code both fail #560

Description

@adampalli

Pre-flight

  • I searched existing issues and this isn't already requested

Problem / motivation

Summary

WhatsApp has rolled out a mandatory passkey requirement for device linking
on some accounts. This completely breaks all OpenWA session linking methods
— QR scan and pairing code both fail. The bot is permanently disconnected
with no way to re-link.

Environment

  • OpenWA: v0.7.14
  • Engines tested: Baileys, whatsapp-web.js
  • Deployment: Docker self-hosted (Oracle Cloud ARM64, Ubuntu)
  • Phone: Android

What WhatsApp now requires

When attempting to link a device, WhatsApp shows:

"Create a passkey to log in — For security reasons, your account needs
a passkey to link devices"

Options: Create passkey / Don't link

  • Tapping "Don't link" prevents any device from being linked at all
  • Creating the passkey succeeds on the phone, but then shows
    "Continue on your other device" — and nothing happens on the
    OpenWA dashboard or any third-party client
  • The passkey verification handshake requires biometric/screen-lock
    authentication on the receiving device, which headless/server-side
    clients cannot perform

QR scan flow (whatsapp-web.js and Baileys)

  1. Session starts, QR generated successfully
  2. Phone scans QR from OpenWA dashboard
  3. Phone shows "Continue on your other device"
  4. Session never reaches ready — stays at qr_ready
  5. Baileys logs: repeated statusCode: 408 connection drops
  6. whatsapp-web.js: QR keeps regenerating, session never authenticates

When scanning from web.whatsapp.com instead:

  • Browser shows "Quick security check with Passkey → Continue"
  • Tapping Continue does nothing
  • Session never completes

Pairing code flow

  1. POST /sessions/:id/pairing-code with {"phoneNumber": "91XXXXXXXXXX"}
  2. Phone shows the 8-digit code entry screen
  3. After entering phone number, WhatsApp shows
    "Continue on WhatsApp Web" — no code appears
  4. Nothing progresses

Impact

  • Cannot re-link any session after a force-logout
  • Bot is permanently offline with no recovery path
  • Affects both engines (whatsapp-web.js and Baileys)
  • Affects both linking methods (QR and pairing code)

Expected behavior

OpenWA should handle the passkey verification handshake, or provide
an alternative linking path that doesn't require biometric authentication
on the server side.

Possible approaches

  1. Implement the passkey/WebAuthn handshake in the whatsapp-web.js
    and Baileys engine adapters
  2. Investigate whether WhatsApp Desktop's linking flow differs from
    the browser/headless flow at the protocol level, since Desktop
    also doesn't show the Quick security check with Passkey screen.
  3. Investigate whether the passkey requirement can be avoided by
    spoofing a non-browser client context during QR/pairing flows
Image Image Image

Additional context

This appears to be a phased rollout — not all accounts are affected yet.
Accounts that are affected have no workaround with current OpenWA versions.

Proposed solution

No response

Alternatives considered

No response

Scope

  • I understand some features are limited by the underlying WhatsApp engine (e.g. interactive Buttons/List messages are not supported on whatsapp-web.js).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions