WCR is not a middleware proxy or a shared integration layer. Every deployment — from a single Zendesk account to a regulated enterprise — runs on the same production-grade stack: a compiled Vue.js frontend, a PHP API, and one or serveral dedicated MariaDB databases, all communicating over HTTPS with end-to-end credential isolation.
The Core Stack
┌─────────────────────────────────────────────────────────────┐
│ BROWSER / ZENDESK │
│ Vue.js SPA · Sidebar App │
└───────────────────┬─────────────────────┬───────────────────┘
│ HTTPS │ HTTPS
┌───────────▼──────────┐ ┌───────▼────────────────┐
│ PHP + Apache │ │ Sunco Webhook Layer │
│ /app/api/ │ │ /sunco/ │
└───────────┬──────────┘ └────────────────────────┘
│ TCP (internal network)
┌───────────▼──────────┐
│ MariaDB │
│ (isolated server) │
└──────────────────────┘| Layer | Technology | Notes |
|---|---|---|
| Frontend | Vue.js, compiled SPA | URLs baked at build time per customer |
| API | PHP + Apache | Served at /app/api/, isolated from web root |
| Database | MariaDB | Separate server, user restricted by IP |
| Transport | HTTPS (TLS) | HTTP permanently redirected to HTTPS |
URL Structure
Every WCR deployment exposes three distinct surface areas under a single domain:
https://your-domain.com/
│
├── /app/ ← Vue.js SPA (compiled frontend)
│ └── /app/api/v2/ ← PHP REST API
│
└── /sunco/ ← WhatsApp webhook receiver
This structure means there is no routing conflict between the SPA, the API, and the webhook layer. Each path is independently controlled by Apache and can be secured, rate-limited, or versioned without affecting the others.
Security Architecture
Credentials never touch the web root. Environment files are stored above the Apache DocumentRoot and are never accessible via HTTP.
[server filesystem]
│
├── [above web root] ← credentials never served by Apache
│ ├── .env ← base credentials (DB, email, API keys)
│ ├── .env.enterprise ← enterprise feature flags
│ └── .env.enterprise.customer ← customer-specific overrides
│
└── [web root] ← Apache DocumentRoot (web-accessible)
└── app/
├── index.html ← Vue SPA entry point
├── js/ css/ img/ ← compiled assets
├── api/ ← PHP API (no directory listing)
└── sunco/ ← webhook receiverPHP locates the correct .env file at runtime by walking up the directory tree — the web server never has a path to serve them.
| Credential type | Storage | Accessible via HTTP? |
|---|---|---|
| Database passwords | Environment files above web root | No |
| API keys | Environment files above web root | No |
| SSL private key | Outside container, mounted read-only | No |
| Compiled frontend | Web root | Yes (intentional) |
Enterprise Deployment: Multiserver Model
Enterprise customers run on a fully isolated setup, that can consist of one or multiple servers. Database traffic never crosses the public internet.
┌──────────────────────────────┐
│ Customer VPN / │
│ Secure Workspace │
└──────────┬───────────────────┘
│ HTTPS
┌──────────▼───────────────────┐
│ API SERVER │
│ Linux · Docker │
│ │
│ ┌─────────────────────────┐ │
│ │ PHP + Apache │ │
│ │ container │ │
│ └────────────┬────────────┘ │
│ │ DB (internal)│
│ ┌────────────▼────────────┐ │
│ │ Optional DB admin UI │ │
│ │ (internal access only) │ │
│ └─────────────────────────┘ │
└────────────┬─────────────────┘
│ private network
┌────────────▼─────────────────┐
│ DB SERVER │
│ Linux · Docker │
│ │
│ ┌─────────────────────────┐ │
│ │ MariaDB container │ │
│ │ persisted volume │ │
│ └─────────────────────────┘ │
└──────────────────────────────┘Both containers use auto-restart policies — they survive reboots without manual intervention. The database volume is persisted on the host filesystem, independent of the container lifecycle.
Why Docker? Enterprise environments often run hardened OS configurations with locked package mirrors. Docker sidesteps host-level dependency issues entirely, delivering a reproducible, version-pinned runtime that installs in minutes regardless of the underlying OS configuration.
File Transfer: Air-Gapped Deployment
Some enterprise environments restrict inbound SSH access to the production servers. WCR's deployment pipeline handles this through an intermediate relay:
Dev Machine ──► Secure relay ◄── Production server
(intermediate) (pulls, doesn't receive)The production server initiates all outbound connections — no inbound firewall rules need to be opened. Relay credentials are never stored in scripts.
Platform Integration: Zendesk & Meta
WCR integrates with two distinct Zendesk API surfaces to close the loop between message delivery and your support workflow. Crucially, WCR never communicates with the Meta Cloud API directly — all WhatsApp connectivity is mediated through one or more Zendesk WhatsApp Channels configured per WCR connection.
┌──────────────────────────────────────────────────────────────┐
│ WCR BACKEND │
│ ┌──────────────────────────┐ ┌──────────────────────────┐ │
│ │ App API / PHP │ │ Sunco Webhook Receiver │ │
│ └──────────────────────────┘ └──────────────────────────┘ │
└──────────────┬────────────────────────────────┬──────────────┘
│ Support API (write) ▲ Conversations API
│ tickets & private notes │ events & inbound msgs
┌──────────────▼────────────────────────────────┴──────────────┐
│ ZENDESK PLATFORM │
│ ┌────────────────────┐ ┌──────────────────────────────┐ │
│ │ Zendesk Support │ │ Conversations API (Sunco) │ │
│ │ Tickets · Agents │ │ WhatsApp Channel(s) │ │
│ └────────────────────┘ └───────────────┬──────────────┘ │
└───────────────────────────────────────────┼──────────────────┘
│
┌──────────▼───────────┐
│ Meta Cloud API │
└──────────────────────┘| Surface | Purpose | Consumers |
|---|---|---|
| App API | Internal frontend operations, session management, agent sidebar | Vue.js SPA, Zendesk Sidebar App |
| Delivery API | Send and track outbound WhatsApp messages | External systems via token authentication |
| Sunco API | Launch some tasks programatically | Internal systems via user/pwd authentication |
| API Webhooks | Receive events from Zendesk Conversations API, like delivery errors | Internal systems |
| Meta Cloud API | Never accessed by WCR; always bridged through a configured Zendesk WhatsApp Channel | --- |
Every WCR connection requires at least one configured Zendesk WhatsApp Channel. This channel is the authorised bridge between Zendesk's Conversations platform and Meta's infrastructure. WCR sends and receives WhatsApp messages through Zendesk — it never holds or uses a Meta API token directly.
Ready to see the Enterprise Edition in action?
Our technical team is ready to answer all your questions regarding infrastructure, data security, etc.
Schedule a Meeting with our Tech Lead
Contact us to learn more