Otentikasi

Endpoint /api/send, /api/send-media, /api/check, /api/messages, /api/device menggunakan Device API Token. Kirim token dengan salah satu cara:

• Authorization: Bearer <TOKEN>
• X-API-Token: <TOKEN>
• Form/JSON body field token
• Query string ?token=<TOKEN>

Ambil token dari halaman Devices.

POST /api/send — kirim teks

POST /api/send
Authorization: Bearer DEVICE_API_TOKEN
Content-Type: application/json

{
  "target": "081234567890",          // atau "62812..,62898.." untuk multi
  "message": "Halo dari Banteng"
}

Response:

{
  "ok": true,
  "results": [
    { "target": "081234567890", "ok": true, "msg_id": "ABCD...", "jid": "62812...@s.whatsapp.net" }
  ]
}

POST /api/send-media — kirim gambar/dokumen

Pakai multipart/form-data jika upload file, atau JSON kalau pakai URL publik:

POST /api/send-media   (multipart/form-data)
fields:
  token   = DEVICE_API_TOKEN
  target  = 081234567890
  type    = image | video | audio | voice | document
  caption = (optional)
  file    = <binary>
  url     = https://...   (alternative to file)

POST /api/check — cek nomor terdaftar di WA

POST /api/check
Authorization: Bearer DEVICE_API_TOKEN

{ "target": "081234567890" }
→ { "ok": true, "exists": true, "jid": "62812...@s.whatsapp.net" }

Webhook (incoming message)

Saat pesan masuk ke device, server akan POST JSON ke URL webhook yang kamu set:

POST <your-webhook-url>
Content-Type: application/json
X-Signature: sha256=<hex>     // jika webhook_secret diisi

{
  "event": "message",
  "device_id": "abcdef0123456789",
  "from": "62812...@s.whatsapp.net",
  "phone": "62812...",
  "push_name": "John",
  "type": "text",
  "body": "halo bang",
  "msg_id": "3EB0...",
  "timestamp": 1760000000,
  "is_group": false
}

Verifikasi tanda tangan di server kamu dengan HMAC-SHA256(webhook_secret, raw_body) lalu bandingkan ke header X-Signature.

Contoh cURL

curl -X POST https://wa.bantengcaraka.id/api/send \
  -H "Authorization: Bearer DEVICE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"target":"081234567890","message":"Hello"}'

Anti-Ban Protection

Setiap device punya pengaman bawaan agar nomor tidak ke-ban WhatsApp:

• Rate limit per menit (default 20) dan per hari (default 1000).
• Send window: bisa dibatasi jam aktif (mis. 07:00–21:00).
• Pre-validate: setiap nomor dicek dulu apakah ada di WhatsApp; nomor yang tidak terdaftar tidak dikirim.
• Typing simulation: presence "composing" sebelum kirim agar terlihat manusiawi.
• Warmup mode: nomor baru otomatis dibatasi 5/menit · 100/hari selama 24 jam pertama.
• Random jitter: jeda antar broadcast dirandom (default 4–8 detik).
• Auto-pause: broadcast otomatis berhenti jika gagal beruntun ≥ N kali.

Atur lewat tombol Anti-ban di halaman Devices, atau via PUT /api/devices/:id/settings.

Jika permintaan ditolak karena pengaman, response: { ok:false, error:"rate limit exceeded (max 20/min)" } dengan kode internal RATE_LIMIT, DAILY_LIMIT, atau OUT_OF_WINDOW.

Broadcast (kirim massal)

POST /api/broadcasts        (JWT)
{
  "device_id": 1,
  "name": "Promo Lebaran",
  "message": "Halo {{nama}}, ada promo!",
  "targets": [
    "081234567890",
    { "phone": "62812...", "vars": { "nama": "Budi" } }
  ],
  "delay_ms": 4000,
  "delay_jitter_ms": 4000,
  "scheduled_at": "2026-05-01 09:00:00"
}

Worker mengirim satu per satu dengan delay random. Jika gagal beruntun, broadcast otomatis dipause.

Pesan Terjadwal

POST /api/broadcasts/scheduled/single   (JWT)
{ "device_id": 1, "target": "081234567890", "message": "Reminder!", "scheduled_at": "2026-05-01 08:00:00" }

Auto-Reply

Buat aturan: bila pesan masuk match keyword, kirim balasan otomatis. Mode match: contains, exact, startswith, regex. Mendukung filter jam aktif (hours_start, hours_end) dan hari aktif (days_of_week).

POST /api/autoreplies   (JWT)
{
  "device_id": 1,
  "name": "Salam pembuka",
  "match_mode": "contains",
  "keyword": "halo",
  "reply": "Hai! Ada yang bisa kami bantu?",
  "cooldown_sec": 300,
  "ignore_groups": true,
  "hours_start": "08:00",
  "hours_end":   "18:00",
  "days_of_week": "mon,tue,wed,thu,fri"
}

SDK Examples

Endpoint /api/send bisa dipanggil dari berbagai bahasa. Ganti DEVICE_API_TOKEN dengan token milik device kamu.

curl -X POST https://wa.bantengcaraka.id/api/send \
  -H "Authorization: Bearer DEVICE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"target":"081234567890","message":"Halo dari Banteng Caraka"}'

<?php
$ch = curl_init('https://wa.bantengcaraka.id/api/send');
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_HTTPHEADER => [
    'Authorization: Bearer DEVICE_API_TOKEN',
    'Content-Type: application/json',
  ],
  CURLOPT_POSTFIELDS => json_encode([
    'target'  => '081234567890',
    'message' => 'Halo dari Banteng Caraka',
  ]),
]);
$response = curl_exec($ch);
$status   = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo $response;

import requests
r = requests.post(
    'https://wa.bantengcaraka.id/api/send',
    headers={'Authorization': 'Bearer DEVICE_API_TOKEN'},
    json={'target': '081234567890', 'message': 'Halo dari Banteng Caraka'},
    timeout=30,
)
print(r.json())

const res = await fetch('https://wa.bantengcaraka.id/api/send', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer DEVICE_API_TOKEN',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    target: '081234567890',
    message: 'Halo dari Banteng Caraka',
  }),
});
console.log(await res.json());

use Illuminate\Support\Facades\Http;

$resp = Http::withToken(config('services.banteng_wa.token'))
    ->post(config('services.banteng_wa.url').'/api/send', [
        'target'  => '081234567890',
        'message' => 'Halo dari Banteng Caraka',
    ]);

return $resp->json();

Webhook verification (PHP):

<?php
$secret = 'YOUR_WEBHOOK_SECRET';
$body = file_get_contents('php://input');
$sig  = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
$expected = 'sha256=' . hash_hmac('sha256', $body, $secret);
if (!hash_equals($expected, $sig)) {
    http_response_code(401);
    exit('invalid signature');
}
$payload = json_decode($body, true);
// process $payload['from'], $payload['body'], etc.