What breaks under BSUID
If your WhatsApp Business stack does any of the following, it's on the critical path:
- Phone number is the primary key in your CRM. Webhooks return BSUIDs as the canonical identifier now. Phone numbers are still in the payload but Meta has flagged them "non-canonical." When a customer chooses a username (H2 2026), the phone-to-customer link can break, and your handler won't know it broke.
- You're on a custom PHP/Laravel/Node webhook handler built before Q4 2025. These were almost all phone-keyed by default. Bespoke MENA agency code from 2022 to 2024 is the highest-exposure category we see.
- Your platform (Salla, Zid, Shopify, Woo) hasn't pushed a BSUID-aware update. Most plugins as of May 2026 still are not. Confirm with platform support, don't assume.
- You reconcile inbound replies to customer records. Two-way conversation = exposed. Broadcast-only = safer (for now).
The migration isn't a column rename. BSUIDs are BSP-scoped, the same end-customer has a different BSUID under Twilio vs 360Dialog vs Direct Cloud API. Your contact resolution layer has to account for this.
What we do, the 5-day Migrate sprint
A productized engagement. Fixed scope, fixed price, fixed timeline.
Day 1, Audit. We map your current contact identity model: every place phone number is keyed, every webhook handler, every BSP integration. Output: a written diagnostic with severity per surface.
Day 2, Schema. We design the new contact resolution layer. Primary key migrates to BSUID-plus-BSP composite. Phone number stays as a queryable attribute, not the canonical reference.
Day 3, Implementation. We ship the migration code: webhook handler updates, CRM schema patches, BSP-specific contact-book sync. Code lives in your repo, reviewed by your engineers.
Day 4, Cutover. Staging-to-prod with rollback path. New webhooks land in the BSUID-aware handler. Old phone-keyed records get backfilled from Contact Book API.
Day 5, Verify + handoff. End-to-end traffic test. Reconciliation metrics dashboard delivered. 30-day monitoring window starts.
What you get on Day 5: working BSUID migration in production, a written runbook, a remediation report for any pre-existing data drift, and 30 days of monitoring included.
Pricing, Migrate
- Audit only, $499. Written diagnostic, severity-ranked, with code-level remediation list. Delivered in 48 hours. Credit applies to the sprint if you upgrade within 14 days.
- Migration sprint, $2,500. Full 5-day engagement. Audit included. Fixed price, fixed scope. Refundable if we determine your stack is not actually affected (rare, we'll tell you upfront after the audit).
- Monitoring, $99/month. 30-day window included with the sprint. After that, $99/month for ongoing BSUID drift detection, payload-change alerts, and quarterly stack reviews.
- Agency white-label, $499/month. For MENA agencies running Migrate sprints on behalf of their own clients. Includes co-branded audit report, internal playbook access, and bulk-pricing on sprints (20% off after the third client).
Why us
- Built by the people who read Meta's changelogs the day they ship. This isn't a generic "WhatsApp consultancy." It's a migration kit for one specific Meta change, productized.
- MENA-native. Based in El Gouna, Egypt. We've worked with Salla and Zid integrations from the inside. Arabic-document handling, KSA-specific template rules, MENA agency code patterns, we've seen all of them.
- Built by ExAutomatica. A venture studio shipping AI products. ShiftKit is the WhatsApp arm. Our other ventures (sahy.ai, Railroaded) demonstrate the same operating pattern: ship the productized fix, then automate the operations layer.
- Karim Elsahy. Founder. Prior: UniversalHealthCare.ai. Published cornerstone content at sahy.ai and Hacker News. We name our operators because we believe accountability follows attribution.
FAQ
How do I know if my stack is actually affected?
Run the 3-minute audit at the top of this page. If the verdict is "Vulnerable" or "At Risk," you're exposed. If it says "Safe," you've already migrated (or your BSP did it for you).
Can my own engineers do this?
Yes, and we'll tell you that on the audit call if it's true. Our edge is having done this 20+ times by the time you book us, not having a secret. If your team has the bandwidth and BSP experience, our cornerstone guide gives you the playbook for free.
What if my BSP says they handle BSUID for us?
Some BSPs (Twilio Conversations, 360Dialog managed contact book) carry the mapping internally. You're still on the hook to consume the BSUID via webhook and store it. Don't assume "the BSP handles it" means "your CRM is safe." Run the audit.
What's the cutover risk?
Low if we run the staging window. Zero so far in our completed sprints. The migration is additive, we add BSUID-keyed records alongside phone-keyed ones, verify reconciliation matches, then swap the canonical reference. Rollback is one config flag.
Do you do Arabic-language support?
Yes. Audit reports available in Arabic. Engineering docs stay in English (the WhatsApp Business Platform docs themselves are English-only).
What happens after the 30-day monitoring window?
You can extend to $99/month, or self-host. We deliver the monitoring stack as code. No lock-in.
What if WhatsApp usernames roll out later than H2 2026?
Meta has slipped before. Doesn't matter, the BSUID migration is already in production (since March 31). Usernames just amplify the cost of waiting. The migration is not optional, only the timing is debatable.
Get the verdict on your stack
Two minutes. No email gate. We tell you whether you're exposed before we ask for anything.