Pre-flight
Problem / motivation
Summary
WhatsApp has rolled out a mandatory passkey requirement for device linking
on some accounts. This completely breaks all OpenWA session linking methods
— QR scan and pairing code both fail. The bot is permanently disconnected
with no way to re-link.
Environment
- OpenWA: v0.7.14
- Engines tested: Baileys, whatsapp-web.js
- Deployment: Docker self-hosted (Oracle Cloud ARM64, Ubuntu)
- Phone: Android
What WhatsApp now requires
When attempting to link a device, WhatsApp shows:
"Create a passkey to log in — For security reasons, your account needs
a passkey to link devices"
Options: Create passkey / Don't link
- Tapping "Don't link" prevents any device from being linked at all
- Creating the passkey succeeds on the phone, but then shows
"Continue on your other device" — and nothing happens on the
OpenWA dashboard or any third-party client
- The passkey verification handshake requires biometric/screen-lock
authentication on the receiving device, which headless/server-side
clients cannot perform
QR scan flow (whatsapp-web.js and Baileys)
- Session starts, QR generated successfully
- Phone scans QR from OpenWA dashboard
- Phone shows "Continue on your other device"
- Session never reaches
ready — stays at qr_ready
- Baileys logs: repeated
statusCode: 408 connection drops
- whatsapp-web.js: QR keeps regenerating, session never authenticates
When scanning from web.whatsapp.com instead:
- Browser shows "Quick security check with Passkey → Continue"
- Tapping Continue does nothing
- Session never completes
Pairing code flow
POST /sessions/:id/pairing-code with {"phoneNumber": "91XXXXXXXXXX"}
- Phone shows the 8-digit code entry screen
- After entering phone number, WhatsApp shows
"Continue on WhatsApp Web" — no code appears
- Nothing progresses
Impact
- Cannot re-link any session after a force-logout
- Bot is permanently offline with no recovery path
- Affects both engines (whatsapp-web.js and Baileys)
- Affects both linking methods (QR and pairing code)
Expected behavior
OpenWA should handle the passkey verification handshake, or provide
an alternative linking path that doesn't require biometric authentication
on the server side.
Possible approaches
- Implement the passkey/WebAuthn handshake in the whatsapp-web.js
and Baileys engine adapters
- Investigate whether WhatsApp Desktop's linking flow differs from
the browser/headless flow at the protocol level, since Desktop
also doesn't show the Quick security check with Passkey screen.
- Investigate whether the passkey requirement can be avoided by
spoofing a non-browser client context during QR/pairing flows
Additional context
This appears to be a phased rollout — not all accounts are affected yet.
Accounts that are affected have no workaround with current OpenWA versions.
Proposed solution
No response
Alternatives considered
No response
Scope
Pre-flight
Problem / motivation
Summary
WhatsApp has rolled out a mandatory passkey requirement for device linking
on some accounts. This completely breaks all OpenWA session linking methods
— QR scan and pairing code both fail. The bot is permanently disconnected
with no way to re-link.
Environment
What WhatsApp now requires
When attempting to link a device, WhatsApp shows:
Options: Create passkey / Don't link
"Continue on your other device" — and nothing happens on the
OpenWA dashboard or any third-party client
authentication on the receiving device, which headless/server-side
clients cannot perform
QR scan flow (whatsapp-web.js and Baileys)
ready— stays atqr_readystatusCode: 408connection dropsWhen scanning from
web.whatsapp.cominstead:Pairing code flow
POST /sessions/:id/pairing-codewith{"phoneNumber": "91XXXXXXXXXX"}"Continue on WhatsApp Web" — no code appears
Impact
Expected behavior
OpenWA should handle the passkey verification handshake, or provide
an alternative linking path that doesn't require biometric authentication
on the server side.
Possible approaches
and Baileys engine adapters
the browser/headless flow at the protocol level, since Desktop
also doesn't show the Quick security check with Passkey screen.
spoofing a non-browser client context during QR/pairing flows
Additional context
This appears to be a phased rollout — not all accounts are affected yet.
Accounts that are affected have no workaround with current OpenWA versions.
Proposed solution
No response
Alternatives considered
No response
Scope