Skip to content
Meta Business PartnerQuick answer inside

How do I set up WhatsApp OTP instead of SMS?

Moving one-time passwords from SMS to WhatsApp comes down to three moves: create a WhatsApp authentication-category template with a one-tap copy-code button, wire it into your login or signup flow, and keep SMS as an automatic fallback for the small share of users who aren't on WhatsApp. Done right, verification arrives with a delivery receipt, users tap once instead of typing six digits, and you pay WhatsApp's authentication rate per delivered message rather than gateway-plus-DLT SMS costs. InfiQ, an official Meta Business Partner, sets the template, sender number, and fallback logic up for Indian businesses so OTPs land reliably from day one.

Authentication category
Required template type
Copy-code or one-tap autofill
Button options
Per delivered message (auth rate)
Billing model
SMS on delivery failure
Fallback channel
Sent, delivered, read receipts
Delivery signals
You keep your WABA + BSUID
Account ownership

Quick answer

Build a WhatsApp authentication template with a copy-code button, trigger it from your app when a user requests an OTP, and fall back to SMS only when WhatsApp delivery fails. You get read receipts, one-tap entry, and per-delivered-message authentication pricing.

Why WhatsApp OTP beats SMS for verification

SMS OTP has quietly become the weakest link in Indian onboarding: DLT header and template registration, telco throttling during peaks, silent failures with no delivery signal, and no protection against SIM-swap or number-spoofing scrapers. WhatsApp authentication templates fix most of that. Delivery is confirmed with sent, delivered, and read receipts, so your backend knows whether the code actually reached the handset before you show a 'resend' button. The message lands inside an end-to-end encrypted, verified business sender rather than an anonymous alphanumeric header, which raises trust and cuts phishing risk. And because WhatsApp reaches over half a billion Indian users, the vast majority of your signups can receive the code in the app they already have open.

  • Delivery receipts (sent / delivered / read) instead of SMS's fire-and-forget
  • One-tap copy-code button — users don't retype six digits
  • Verified business sender reduces OTP phishing and spoofing
  • No DLT header/template registration overhead for the WhatsApp path
  • Authentication-category pricing that's typically lower than Indian SMS + gateway fees

Step 1: Build the authentication template

OTPs must go out on an authentication-category template — you cannot send a code as free-form text or a marketing template, and Meta will reject attempts to do so. In the InfiQ template builder you pick the Authentication category, add the verification-code variable as the body parameter, and attach a button. You get two button styles: a copy-code button, which drops the OTP onto the user's clipboard so they paste it back into your app, and a one-tap autofill button, which passes the code straight into your Android app via a package name and signing-hash handshake. Authentication templates use Meta's fixed, pre-approved wording (the code plus an optional security disclaimer and expiry line), which is exactly why they clear review fast — you're choosing from a controlled format rather than writing custom copy that can trip a rejection.

  • Category: Authentication (required for OTP — never Utility or Marketing)
  • Body variable: the {{code}} parameter your backend fills at send time
  • Button: 'Copy code' for any device, or 'One-tap autofill' for native Android
  • Optional: code-expiry line (e.g. 'expires in 10 minutes') and security warning

Step 2: Route OTPs through WhatsApp, keep SMS as fallback

In your login and signup service, replace the SMS gateway call with a WhatsApp send at the moment a user requests a code. The InfiQ API returns a message ID you store against the OTP session; webhooks then push delivery status back to you in real time. The key design choice is the fallback: if WhatsApp returns a failed status — the recipient has no WhatsApp account, the number is a landline, or delivery times out after a few seconds — your service automatically fires the same code over SMS instead. Most teams set a short delivery timeout (roughly 15–30 seconds) so a genuine WhatsApp user gets the fast path while a non-WhatsApp user still receives their code without noticing the difference. This 'WhatsApp-first, SMS-fallback' pattern is what lets you shift the majority of volume off SMS while never leaving a real user unable to log in.

What WhatsApp OTP costs in India

Since 1 July 2025 WhatsApp bills per delivered message by category, so every authentication OTP that reaches a handset is charged at the authentication rate — not per conversation, and the 24-hour service window doesn't apply to template sends like OTPs. That per-message model makes verification cost predictable: you multiply expected successful deliveries by the authentication rate, and your SMS fallback only bills on the smaller slice that couldn't be reached on WhatsApp. For most Indian businesses the authentication rate lands below the combined SMS gateway plus DLT cost, and the savings compound at signup-heavy scale. InfiQ applies its own transparent ₹ platform pricing on Meta's live authentication rate (ex-GST) with no per-OTP surprises, and the calculator lets you model your real monthly verification spend before you switch.

  • Billed per delivered authentication message
  • SMS fallback only costs on the deliveries WhatsApp couldn't complete
  • Transparent ₹ pricing, ex-GST — model it in the InfiQ calculator first

Reliability, security, and account ownership

A verification flow can't afford flakiness, so a few operational details matter. Keep your OTP template's failure rate low by only sending codes to opted-in numbers you actually collected — mass, unsolicited OTP sends trigger quality flags. Set a sensible code lifetime and rate-limit requests per number to blunt OTP-flooding abuse. Because InfiQ onboards you through Meta's Embedded Signup, the WhatsApp Business Account and its BSUID (Business-Scoped User ID, the identifier under WhatsApp's 2026 usernames change) stay owned by you — your sender number, templates, and message history are yours, and you can move providers without losing your verified identity. That ownership is what protects a critical login channel from vendor lock-in.

Do this with InfiQ

Talk to InfiQ

Get a straight answer for your setup

Tell us what you’re trying to do — a WhatsApp specialist replies within one working day.

Step 1 of 2
WhatsApp

Protected by invisible spam checks · replies within 1 working day

Frequently asked questions

Can I send an OTP as a normal WhatsApp message?+
No. One-time passwords must use an authentication-category message template with a code parameter — WhatsApp will not deliver OTP codes sent as free-form session messages or under marketing/utility templates, and such attempts are rejected in review.
What happens if a user doesn't have WhatsApp?+
Your flow falls back to SMS automatically. When the WhatsApp send returns a failed or timed-out delivery status, your backend fires the same code over your SMS gateway, so non-WhatsApp users still verify without any manual step.
How is WhatsApp OTP priced versus SMS?+
WhatsApp charges the authentication rate per delivered message (since the 1 July 2025 move to per-message billing). For most Indian businesses that's lower than SMS gateway plus DLT costs, and your SMS fallback only bills on deliveries WhatsApp couldn't complete.
Do WhatsApp OTPs need DLT registration like SMS?+
The WhatsApp path doesn't use India's SMS DLT header and template registry — approval is handled through Meta's WhatsApp template review instead. If you keep SMS as a fallback, that SMS leg still follows normal DLT rules.
What is a one-tap autofill OTP button?+
It's an authentication-template button that passes the code directly into your native Android app using your package name and app signing hash, so the user taps once and the field fills itself. On other devices, the copy-code button places the OTP on the clipboard to paste back.
How fast do authentication templates get approved?+
Usually quickly, because authentication templates use Meta's fixed, pre-approved format rather than custom copy — you're selecting a controlled layout, which leaves far less to reject than a marketing template.
Will switching to WhatsApp OTP hurt my delivery if the number is new?+
Send only to opted-in numbers, warm the sender gradually, and rate-limit OTP requests per number. Mass unsolicited OTP sends can lower template quality; a clean, consented verification flow keeps delivery and quality high.
Do I keep control of my WhatsApp account if I use InfiQ?+
Yes. Onboarding runs through Meta's Embedded Signup, so your WhatsApp Business Account and its BSUID remain owned by you — your number, templates, and history stay yours and you can migrate providers without losing your verified identity.

Switch your OTPs to WhatsApp with InfiQ

Get your authentication template built, your SMS fallback wired, and your verification cost modelled — talk to InfiQ, an official Meta Business Partner, and go live with WhatsApp OTP this week.