Platform
Chatbot Builder Bulk Messaging Team Inbox Mini CRM API & Webhooks AI Integration WhatsApp Flows
Industries
E-commerce & D2C Real Estate Education Healthcare Finance & BFSI Logistics Hospitality Retail
Integrations Compare Pricing About Contact Start Free Trial →
HomeGuides
IndiaOTPAuthentication⏱ 10 min read

WhatsApp OTP Authentication — Replace SMS OTP for Indian Users

SMS OTP has SIM swap fraud, DLT filter delays, and 95% delivery. WhatsApp OTP delivers to 99%+ of Indian users with a verified business account badge — users trust it more. This guide covers implementing WhatsApp OTP authentication using Meta's authentication template category.

Start Free Trial → Talk to an Expert
WhatsApp OTP vs SMS OTP

Comparison for India

FactorWhatsApp OTPSMS OTP
Delivery to Indian users99%+ (90%+ are on WhatsApp)95% (carrier dependent)
DLT registration required❌ No✅ Yes — mandatory in India
SIM swap fraud riskLower (WhatsApp account-linked)Higher (SIM-linked)
User trustHigh (verified green tick)Moderate (SMS spoofable)
Cost per OTP₹0.10-0.14 (authentication conv.)₹0.10-0.20 per message
Delay riskLow (internet delivery)Moderate (carrier congestion)
Autofill support✅ Android autofill supported✅ SMS autofill (OTP read)
One-tap experience✅ Copy code button in template✅ SMS autofill on Android

Important: WhatsApp OTP requires the user to have WhatsApp installed and internet access. For users without WhatsApp, you must have SMS OTP as fallback. Always implement fallback for 100% coverage.

Implementing WhatsApp OTP — Technical Setup

Code walkthrough

1

Create authentication template in WA.Expert

In WA.Expert → Templates → New Template → Category: Authentication. Authentication templates have a special format: "Your verification code is {{1}}. This code expires in 10 minutes." Meta approves these quickly (usually under 1 hour).

2

Generate and store OTP on your server

Generate a cryptographically random 6-digit OTP (not Math.random() — use crypto.randomInt(100000, 999999) in Node.js or secrets.randbelow(900000) + 100000 in Python). Store in Redis with 10-minute TTL: SET otp:{phone} {code} EX 600.

3

Send WhatsApp OTP via WA.Expert API

POST to WA.Expert API with the authentication template name and the OTP as variable {{1}}. The message includes a built-in "Copy Code" button — user taps it to copy the code.

4

Verify OTP on submission

When user submits the code, check Redis: GET otp:{phone} → compare with submitted code. If match: delete key (single-use) and proceed. If no match: increment failure counter (block after 3 failures).

5

Implement fallback to SMS

If WA.Expert API returns error (phone not on WhatsApp), automatically fall back to your SMS provider (Twilio, MSG91, etc.) for the same OTP. Log fallback events for monitoring.

WhatsApp Authentication Template Format

Template requirements

Meta has specific requirements for authentication templates — they use a special "authentication" category with a standardised format that includes a built-in "Copy Code" button.

// Authentication template format // Approved by Meta automatically for authentication category Message body: "{{1}} is your verification code for WA.Expert. For your security, do not share this code." Footer: "This code expires in 10 minutes." Button: "Copy Code" (automatically added by Meta) // API call to send WhatsApp OTP { "to": "919876543210", "template": "otp_authentication", "variables": {"1": "847291"} }

Authentication templates have a separate pricing category (₹0.10-0.14 per conversation) and are approved much faster than marketing templates — often within 1-2 hours.

FAQ

Common questions

Is WhatsApp OTP legally valid for KYC in India?
WhatsApp OTP is used for authentication and user verification. For RBI-regulated KYC requirements (banking, lending, payments), the specific OTP delivery channel requirements are set by the regulator — verify with your compliance team. For general app login, transaction confirmation, and account verification, WhatsApp OTP is widely used and legally sound.
Can WhatsApp OTP be autofilled like SMS OTP on Android?
Yes — Android supports WhatsApp OTP autofill via the same WebOTP API used for SMS. However, autofill from WhatsApp messages has more limited browser support than SMS autofill. The built-in "Copy Code" button in WhatsApp authentication templates provides a near-equivalent one-tap experience for users.
What is the OTP expiry best practice for WhatsApp?
Standard practice: 6-digit OTP with 10-minute expiry, maximum 3 attempts before lockout. WhatsApp authentication templates include a footer stating expiry time — set this to match your actual expiry (10 minutes is standard). Shorter expiry (5 minutes) increases security but may frustrate users with slow internet.
How do I handle users who don't have WhatsApp?
Implement fallback logic: (1) Try to send WhatsApp OTP via WA.Expert. (2) If API returns "phone not on WhatsApp" error, immediately send SMS OTP via your SMS provider. (3) Log fallback events. In India, approximately 10% of mobile users may not have WhatsApp (older demographics, feature phone users).
Is WhatsApp more secure than SMS for OTP?
WhatsApp OTP has security advantages over SMS: (1) WhatsApp is end-to-end encrypted, (2) Harder to spoof than SMS (SMS spoofing is common), (3) Not vulnerable to SIM swap attacks (WhatsApp uses account-level security, not SIM-level). However, if someone's WhatsApp account is compromised, they could receive the OTP. Use WhatsApp OTP as part of multi-factor authentication for high-security scenarios.

How to Get WhatsApp Business API

Set up your WhatsApp Business account to enable OTP sending.

Read guide →

WhatsApp API Technical Guide

Full API reference for implementing WhatsApp OTP programmatically.

Read guide →

WhatsApp Webhook Guide

Receive delivery confirmations for OTP messages.

Read guide →

Add WhatsApp OTP to your product today

Authentication templates, fast approval, 99% delivery to Indian users. Get your WA.Expert API key and go live in hours.

Start Free Trial → Talk to Expert