whatsapp-mcp
WhatsApp MCP is a Go/Python bridge that connects your personal WhatsApp account to Claude or Cursor, allowing AI agents to search, read, and send messages directly from WhatsApp. Messages and media are stored locally in SQLite, sent to the LLM only on-demand through controlled tools.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | lharries/whatsapp-mcp |
| Owner | lharries |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 5.9k |
| Forks | 1.2k |
| Open issues | 207 |
| Latest release | v0.0.1 (2025-04-06) |
| Last updated | 2025-07-13 |
| Source | https://github.com/lharries/whatsapp-mcp |
What whatsapp-mcp is
A two-component system: a Go bridge using the whatsmeow library to connect to WhatsApp Web's multidevice API with QR authentication, and a Python MCP server exposing standardized tools (search, list, send) for LLM integration. Local SQLite persistence; no cloud storage of messages.
Get the whatsapp-mcp source
Clone the repository and explore it locally.
git clone https://github.com/lharries/whatsapp-mcp.gitcd whatsapp-mcp# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Go 1.x and Python 3.6+ environments; Windows users must enable CGO and install a C compiler (MSYS2 recommended). macOS/Linux setup is more straightforward.
- WhatsApp Web authentication via QR code scanning; expect ~20-day re-authentication intervals and potential device-linking issues if you have multiple connected devices.
- SQLite database grows with message history; media files are downloaded on-demand via the `download_media` tool to avoid bloating the database. Plan storage and archival.
- FFmpeg is optional but strongly recommended for sending voice messages; without it, audio must be pre-converted to .ogg Opus format.
- Project is pre-release; expect breaking changes, potential data loss if you delete `.db` files for sync recovery, and ongoing API stability risk.
When to avoid it — and what to weigh
- You require end-to-end encryption guarantees beyond WhatsApp — Messages are decrypted in the local SQLite database; an LLM integration further exposes message content to the MCP server and Claude. Security depends on host machine isolation.
- You need production-grade reliability or SLA support — Project is v0.0.1 (pre-release, 3.5 months old) with 207 open issues. Authentication requires manual re-scanning QR codes ~every 20 days. Not suitable for critical or always-on workflows.
- You operate in a regulated environment (healthcare, finance, legal) — Unvalidated security posture, local data exposure, and early-stage maturity create compliance and audit risk. Message storage in SQLite and LLM context passing require formal data governance.
- You want multi-user or enterprise account management — Designed for personal WhatsApp accounts only. No RBAC, audit logging, or support for team-based workflows. Shared deployment risks unauthorized message access.
License & commercial use
MIT License. Permissive OSI license allowing modification, private use, distribution, and sublicensing with attribution and no liability.
MIT permits commercial use without explicit permission, but project maturity (v0.0.1, active development, 207 open issues) creates operational risk. Requires internal risk assessment and legal review before commercial deployment. No warranty or SLA provided.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Possible |
| Assessment confidence | High |
Project stores decrypted WhatsApp messages in plaintext SQLite; no encryption at rest. LLM integration exposes message content to Claude's system, creating data exfiltration risk if the MCP server is compromised or Claude receives untrusted prompts. No audit logging, secrets management, or formal threat model documented. Host machine security and network isolation are critical. Strongly review the 'lethal trifecta' warning in the README before use.
Alternatives to consider
Official WhatsApp Business API
Enterprise-grade, SLA-backed, multi-user support. Requires business account and higher operational overhead; not designed for personal inbox automation.
Twilio or MessageBird WhatsApp SDKs
Cloud-hosted, production-ready, audit trails, compliance features. Centralized message handling; suitable for customer engagement but not personal message integration.
Custom integrations using selenium/playwright with WhatsApp Web
More flexible, no library dependency; higher maintenance burden, slower, and less stable due to DOM scraping fragility.
Build on whatsapp-mcp with DEV.co software developers
WhatsApp MCP is ideal for developers and early adopters seeking local-first message automation. Ensure you understand pre-release maturity, security implications, and authentication overhead before deploying.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
whatsapp-mcp FAQ
Does WhatsApp detect and ban this integration?
How often do I need to re-authenticate?
Can I use this on a shared or production server?
What happens if I delete the SQLite database files?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like whatsapp-mcp. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across mcp servers and beyond.
Ready to integrate WhatsApp with Claude?
WhatsApp MCP is ideal for developers and early adopters seeking local-first message automation. Ensure you understand pre-release maturity, security implications, and authentication overhead before deploying.