WhatsApp AI Chatbot in 15 Minutes: The Build Is Easy, The Bans Are Not

WhatsApp has 500M+ users in India and your customers already live there. Manual replies are expensive and time-gated, so a customer who messages at 2am waits until morning. An AI chatbot gives you 24/7 presence, and with the right stack the build genuinely takes 15 minutes.

I run a WhatsApp automation stack across my own sites, and I will say the quiet part first. The 15-minute build is the easy 15 minutes. The part that actually decides whether your business survives on WhatsApp is a single compliance rule that almost no "build a bot fast" guide bothers to write down. Get the build right and the rule wrong, and your number is dead inside a week. So this article does both: the working stack, and the rule that keeps it alive.

Decision: Code vs No-Code

No-Code Path (Faster, But Limited)

• BotPenguin (Indian, starts Rs 1,500/mo)
• WATI (Rs 2,800/mo)
• Interakt (Rs 999/mo, basic tier)

Pros: drag-drop, templates, 2-hour setup. Cons: hard to customise, recurring cost, shallow AI depth.

Code Path (More Work, Infinitely Flexible)

• Twilio WhatsApp Business API plus your backend plus an AI API
• One-time setup effort, then unlimited flexibility
• Cost: Rs 0.80 to 1.20 per conversation (Twilio) plus AI costs

This guide covers the code path because its ceiling is the highest.

Prerequisites

1. WhatsApp Business Account (verified with business docs)
2. Twilio account with WhatsApp enabled
3. OpenAI, Claude, or Sarvam API key
4. Server (Cloudflare Workers free tier works, or your own box)

Step 1, Twilio Setup (5 min)

1. Sign up at twilio.com/console
2. Messaging then Try WhatsApp then scan the QR with your WhatsApp Business
3. Note your Account SID plus Auth Token
4. You get a Sandbox number; production needs Facebook Business Manager approval (1 to 2 days)

For development, the Sandbox WhatsApp number is perfect.

Step 2, FastAPI Webhook (5 min)

# main.py
from fastapi import FastAPI, Form
from twilio.twiml.messaging_response import MessagingResponse
from openai import OpenAI
import os

app = FastAPI()
openai_client = OpenAI(api_key=os.getenv("OPENAI_API_KEY"))

conversations = {}  # In production: use Redis / PostgreSQL

@app.post("/whatsapp")
async def whatsapp_webhook(
    From: str = Form(...),
    Body: str = Form(...),
):
    user_id = From  # e.g., "whatsapp:+919876543210"
    user_message = Body

    # Load history
    history = conversations.get(user_id, [])
    history.append({"role": "user", "content": user_message})

    # Call OpenAI
    completion = openai_client.chat.completions.create(
        model="gpt-4o-mini",
        messages=[
            {
                "role": "system",
                "content": "You are a customer support agent for Acme Corp. Respond in the user's language (Hindi/English/mixed). Keep replies concise, WhatsApp messages should be short."
            },
            *history
        ],
        max_tokens=200
    )
    ai_response = completion.choices[0].message.content

    # Save history (truncate to last 10 messages)
    history.append({"role": "assistant", "content": ai_response})
    conversations[user_id] = history[-10:]

    # Return the Twilio response
    resp = MessagingResponse()
    resp.message(ai_response)
    return str(resp)

Step 3, Deploy (5 min)

wrangler deploy

Cloudflare Workers free tier gives 100k requests/day, enough for most small businesses. If you prefer your own server, any box that exposes one HTTPS endpoint works. Note your public URL.

Step 4, Connect Twilio To Your URL

Twilio Console then WhatsApp Sandbox then "When a message comes in" then paste your URL plus /whatsapp then save.

Test: send "Hi" to the Twilio WhatsApp number and the AI replies in seconds.

The whole build is done. Now the part that decides whether the business lives.

The rule no 15-minute guide writes down: never cold-message a scraped number

Here is the lesson I would tattoo on every founder who asks me about WhatsApp. Never send a cold first-touch message to a phone number you scraped, extracted, or that has not given you a documented opt-in. Not for B2B. Not even when the business published the number itself in a public ad.

WhatsApp Business policy needs two things together: the person gave you their number, AND a documented opt-in confirming they want messages from you. A scraped or published number satisfies only the first. A cold first-touch is a flat policy violation and the single fastest way to red-rate a WhatsApp Business Account, which goes red-rating then throttle then permanent ban. There is no B2B carve-out, because Meta measures your block-and-report rate, not whether the number was public. An annoyed recipient still hits "block," and the algorithm does not care that the number was sitting in a JustDial listing.

Since 7 October 2025 the messaging limits are portfolio-wide. One spammy number now caps your entire portfolio of numbers, so a single careless blast does not kill one sender, it throttles every line you own. I have seen people burn a freshly-approved number in 48 hours this way and then conclude WhatsApp automation "does not work in India." It works. Cold blasting does not.

India layers a second law on top. TRAI's TCCCPR amendment requires commercial SMS and calls to go out on 140 or 160-series numbers with a DLT-registered consent template behind them. Fire commercial traffic from an ordinary 10-digit number and five complaints inside ten days triggers a two-year cross-operator blacklist of the sender. The bot you built in 15 minutes is not the risk. The list you feed it is.

The compliant flow that actually scales

The first touch is a human phone call, manual and low-volume, between roughly 09:00 and 21:00, framed as a reply to the ad or listing the business itself posted. That framing holds for voice, and it sits outside practical telemarketer enforcement because they invited contact. On that call you ask for verbal opt-in, something as simple as "can I send you the details on WhatsApp," and you LOG it: number, timestamp, source, and what they agreed to receive. Only then do you message.

That opt-in opens a compliant 24-hour session window plus roughly one approved template per day for the following week. This is the IndiaMART pattern, and it is the difference between a number that compounds and a number that dies. Keep a provenance note for every contact ("self-published in X listing on Y date"), purpose-limit what you send, and honour an opt-out the instant it arrives. Your chatbot answers the people who said yes. It does not hunt strangers.

When you skip Twilio: Baileys, and the scars

Twilio's official API is the clean path, and for most businesses it is the right one. But the moment you want a richer build, group listening, voice notes, or zero per-conversation fees, you end up on an unofficial library like Baileys that pairs as a linked device on your own phone. I run that path. It is powerful and it will eat your weekends if you do not know these traps in advance.

@lid is not the phone number. Modern WhatsApp groups fan messages out using an opaque @lid linked-id for privacy, not the familiar @s.whatsapp.net phone JID. The first time my listener went live, every message arrived from something like 93xxxxxxxxxxxxx@lid with the phone field empty, so my worker-matching logic saw "unknown sender" and dropped everything. Plan for this from day one. You need a multi-tier resolver: read senderPn if present, otherwise map the @lid back through the library's lid-to-phone mapping, and finally a self-check so messages from your own linked account resolve to your own number.

Two config flags or nothing decrypts. Groups simply will not decrypt unless you set syncFullHistory: true and markOnlineOnConnect: true. Without history sync, the session keys never reach your linked device and every group message fails at the signal layer with "No session record." Without marking online, the primary phone refuses to send the sender-key messages to a device it thinks is asleep. Both off equals a listener that connects cleanly and receives nothing.

The first message after pairing always fails. Right after you scan the fresh QR, the very first incoming message throws a decrypt error before your handler ever sees it. Do not debug this. Tell users to ignore the first message after pairing and send a second one. The session stabilises within about 10 to 15 seconds once history finishes syncing.

Do not auto-reconnect on code 440. A connectionReplaced (440) during initial pairing is normal handshake behaviour, not a failure. If your reconnect logic fires on it, you spawn parallel sockets that fight each other in a loop. Reconnect only on genuinely transient codes and guard the start path so a close cannot trigger two sockets at once.

None of this appears in a "build a WhatsApp bot in 15 minutes" tutorial, because the people writing those never ran one past the demo.

Make the bot actually useful

A bot that only chats is a toy. Wire it to real business actions with tool use:

TOOLS = [
    {
        "type": "function",
        "function": {
            "name": "check_order_status",
            "description": "Check the status of an order by order ID",
            "parameters": {
                "type": "object",
                "properties": {"order_id": {"type": "string"}},
                "required": ["order_id"]
            }
        }
    },
    {
        "type": "function",
        "function": {
            "name": "schedule_demo",
            "description": "Schedule a demo call",
            "parameters": {
                "type": "object",
                "properties": {
                    "name": {"type": "string"},
                    "phone": {"type": "string"},
                    "preferred_time": {"type": "string"}
                },
                "required": ["name", "phone"]
            }
        }
    }
]

Pass tools=TOOLS, tool_choice="auto" in the completion call and handle each tool call against your database. Now the bot checks orders, books demos, and captures leads instead of making small talk.

Multilingual handling

Indian audiences span 10+ languages. A strong system prompt carries most of the load:

You are multilingual. Detect the user's language and respond in the same language:
- Hindi (Devanagari or romanized)
- Tamil, Telugu, Bengali, Marathi, Gujarati, Kannada, Malayalam, Punjabi
- English
Match their register and use polite forms.

For stronger regional fluency, swap OpenAI for Sarvam AI, which is tuned for Indian languages.

Cost analysis (1000 messages/day)

• Twilio: Rs 1 per conversation times 1000 = Rs 1,000/day
• OpenAI GPT-4o-mini: roughly Rs 0.05/msg times 1000 = Rs 50/day
• Server: Rs 0 on Cloudflare Workers free tier

Monthly total lands near Rs 30,500 for 30k conversations. A single human agent with 8-hour coverage costs Rs 15,000 to 25,000/month. The AI gives 24/7 coverage at far higher volume for comparable spend.

Common pitfalls

1. Compliance first, always. Opt-in before outreach, or none of the rest matters.
2. Long responses. WhatsApp truncates; keep replies under 1,000 characters.
3. Conversation drift. Save only the last 10 messages and summarise older context.
4. Sensitive info. Never feed card numbers or passwords to the LLM; redact before sending.
5. Fallback path. Always offer "Talk to a human agent?"

Moving to production

1. Facebook Business verification (1 to 2 days)
2. Twilio Sandbox to production number
3. WhatsApp-approved message templates for proactive notifications
4. Analytics on volume, conversion, and satisfaction
5. An admin view with a message log and a human-takeover button

A WhatsApp chatbot is one of the highest-ROI automation investments an Indian business can make. The build is 15 minutes. The discipline, opt-in first, scraped numbers never, is what makes it last.