Skip to content
Meta Business PartnerStep-by-step guide

How to set up an OTP flow on the WhatsApp Business API

Sending one-time passwords over WhatsApp lets customers verify logins, signups and transactions inside the chat they already use — no separate SMS gateway, no app switching, and delivery you can actually track. But WhatsApp OTPs run on the authentication message category, which has its own template rules, button behaviour and pricing. This tutorial walks you through building a production-ready OTP flow on the official WhatsApp Business API with InfiQ, from creating the authentication template to triggering codes from your app, testing end to end, and avoiding the mistakes that get OTP templates paused or messages marked as spam.

Authentication
Message category
Per delivered message (Meta rate card)
Billing
Copy code / one-tap autofill
Button options
Minutes to create; same-day go-live
Setup time
You own your BSUID and number
Account model
India-based, guided setup
Support

What you'll do

Create an approved WhatsApp authentication template with a copy-code or one-tap button, wire your backend to generate a code and call the send API (or trigger it no-code in InfiQ), test with your own number, then go live — authentication messages bill per delivered message.

Before you start: what a WhatsApp OTP flow actually needs

An OTP flow on WhatsApp is not a normal marketing or utility message — it uses Meta's dedicated authentication message category, which unlocks purpose-built features like a copy-code button and a security-footer disclaimer, but also comes with stricter content rules (the code and a short verification purpose, nothing else). Before you build anything, make sure the groundwork is in place so approval and delivery go smoothly.

  • An active WhatsApp Business API account connected through InfiQ, with your Meta Business Manager verified.
  • A registered sender number in good standing — a fresh number should be warmed up before high-volume OTP traffic.
  • Your backend able to generate and store a short-lived code (typically 4–8 digits, valid for a few minutes).
  • A clear idea of where OTPs trigger: login, signup, password reset, checkout or a sensitive account change.

Step 1 — Create and submit the authentication template

OTPs must be sent from a pre-approved template in the authentication category — you cannot free-type an OTP message. In InfiQ's template manager, create a new template, set the category to Authentication, and choose your button type. WhatsApp fills the message body with a standardised security line, so you mainly configure the code delivery mechanism and optional add-ons. Submit it and Meta usually reviews authentication templates quickly, though allow time before a launch.

  • Choose Copy code (customer taps to copy the OTP and pastes it into your app) or One-tap autofill where supported (the code is handed back to your app automatically).
  • Add the code as a variable so each send injects the freshly generated OTP.
  • Optionally enable the security disclaimer footer and a message-expiry line so users know the code is time-limited.
  • Keep it strictly transactional — authentication templates cannot carry promotions, links or extra copy, or they will be rejected.

Step 2 — Generate the code and trigger the send

Your application owns the actual OTP: generate a random short-lived code, store a hashed or time-boxed copy against the user's session, then hand it to WhatsApp only as a template variable. In InfiQ you can trigger the send two ways — call the send API from your backend at the moment the user requests verification, or use a no-code flow/automation for simpler cases. The template name, the recipient number in international format, and the code variable are all you need in the payload.

  • Generate the code server-side and set an expiry (for example 5 minutes); never send a code your backend cannot later validate.
  • Populate the template's code variable and, for copy-code buttons, the button parameter as well.
  • Send via InfiQ's API from your auth service, or map the trigger to a no-code automation for low-volume use.
  • Log the returned message ID so you can reconcile delivery and read receipts against each verification attempt.

Step 3 — Test the full round trip before going live

Test with your own WhatsApp number first, on a real device, so you see exactly what the customer sees. Request a code from your app, confirm the message arrives with the correct OTP, tap the copy-code (or one-tap) button, and complete verification back in your product. Then deliberately try the unhappy paths — an expired code, a wrong code, and a re-request — to make sure your backend validation and rate limiting behave. Watching InfiQ's delivery and read status here confirms the message is genuinely reaching handsets, not just accepted by the API.

  • Confirm the code in the message matches the code your backend stored for that session.
  • Verify the copy-code button pastes cleanly and one-tap (where enabled) returns the code to your app.
  • Test expiry, an incorrect code, and resend cooldowns so users can't brute-force or spam requests.
  • Check delivery and read status in InfiQ to catch numbers that silently fail.

Step 4 — Go live, monitor quality and control cost

Once the flow works end to end, enable it for real users and keep an eye on two things: your number's quality rating and OTP delivery success. Authentication messages are billed per delivered message under the authentication category, so cost scales directly with verification volume — InfiQ shows this as transparent ₹ pricing (ex-GST) so you can forecast spend against sign-up and login numbers. Because OTPs are user-initiated and expected, they usually enjoy strong delivery and read rates, but a spike in failures or blocks is an early warning worth investigating.

  • Watch quality rating after launch; sudden drops often mean users are blocking or reporting messages.
  • Track delivery failure rate by number range to spot carrier or reachability issues.
  • Remember authentication bills per delivered message — model cost against expected daily verifications.
  • Consider a fallback path (retry or an alternate channel) only for users who genuinely can't receive WhatsApp.

Common mistakes that break OTP flows

Most OTP problems trace back to a handful of avoidable errors. The template gets rejected for containing anything beyond the code and its purpose; the wrong category is chosen, so the message either fails or costs more than it should; or a brand-new number is pushed straight into thousands of OTP sends and gets throttled. On the backend, teams forget to expire or rate-limit codes, turning a security feature into a vulnerability. Getting the template category and validation logic right from the start saves you a painful round of rejections and re-tests.

  • Adding marketing copy, links or branding to an authentication template — it will be rejected.
  • Using a utility or marketing template for OTPs instead of the authentication category.
  • Not warming up a fresh number before sending high OTP volume.
  • Skipping code expiry or resend rate limits, leaving the flow open to abuse.

Do this in InfiQ now

Talk to InfiQ

Want us to set this up with you?

Tell us where you’re stuck — we’ll walk you through it and get you live.

Step 1 of 2
WhatsApp

Protected by invisible spam checks · replies within 1 working day

Frequently asked questions

How long does it take to set up a WhatsApp OTP flow?+
The template itself takes minutes to create in InfiQ, and Meta typically reviews authentication templates quickly. The wiring on your side — generating, storing and validating the code — is the main work; teams with an existing auth service often go live the same day.
Do I need a developer to build an OTP flow?+
You need someone who can generate a code and validate it in your backend, since your application owns the OTP itself. Creating and managing the WhatsApp authentication template in InfiQ is no-code, but the send trigger for a real login flow is usually wired via the API by a developer.
Can I put my logo, offer or a link in the OTP message?+
No. Authentication-category templates are deliberately restricted to the verification code and a short security purpose. Adding promotions, links or extra branding will get the template rejected — send those in a separate marketing or utility message instead.
What's the difference between copy-code and one-tap OTP buttons?+
Copy-code shows a button that copies the OTP to the clipboard so the customer pastes it into your app manually. One-tap autofill, where supported by the device and app, hands the code directly back to your application so the user barely has to do anything. Copy-code is the widely available default.
How much does a WhatsApp OTP cost?+
OTPs use the authentication message category, which since 1 July 2025 bills per delivered message rather than per conversation. InfiQ shows this as transparent ₹ pricing (ex-GST) on Meta's live rates, so your cost scales with the number of codes actually delivered.
Is the 24-hour window relevant to OTPs?+
The 24-hour window is a free service window for replying to a user who messaged you — it is not how OTPs are billed. Each delivered authentication message is charged per message regardless of any window, so plan cost around verification volume, not conversations.
How do I keep my OTP messages from being marked as spam?+
Send OTPs only when the user has just requested verification, keep the template strictly transactional, warm up new numbers, and monitor your quality rating after launch. Because OTPs are expected and user-initiated, they usually maintain strong delivery — a sudden failure or block spike is the signal to investigate.
Can I own and manage the WhatsApp number and account myself?+
Yes. InfiQ sets you up with full ownership of your Business-Scoped User ID (BSUID) and sender number, so your authentication assets and message history stay yours, with India-based support to help through setup and go-live.