Authentication API

WhatsApp OTP API — Send OTP via WhatsApp

Replace SMS OTPs with WhatsApp OTPs. Higher delivery rates, lower cost, faster verification. Built on the WhatsApp Business API for Indian fintechs, banks, e-commerce, EdTech, and SaaS apps. Pay-as-you-go INR pricing from ₹0.04/message at volume.

95%+ delivery1-3 sec latency~₹0.12 / OTPNo subscriptionGST invoice

Why WhatsApp OTP beats SMS OTP in India

Metric	WhatsApp OTP	SMS OTP
Delivery rate (India)	95-99%	82-88% (carrier dependent)
Latency	1-3 seconds	10-30 seconds
Cost per OTP (India)	~₹0.12-0.20	~₹0.18-0.30
Spam folder issues	None	Frequent (operator filters)
Read receipts	Yes	No
Encryption	End-to-end (Meta)	Plaintext (operator-readable)
User experience	Familiar app, copy-button	Notification, manual copy
International support	Universal (one OTP system)	Multiple carrier contracts needed

Use cases for WhatsApp OTP

Login & registration

Verify phone number on signup; replace SMS OTP for repeat logins.

Transaction OTPs

Banks & fintechs confirming high-value transactions, transfers, withdrawals.

Account verification

Verify phone change, email change, password reset flows.

2FA / Two-factor auth

Second factor for security-sensitive admin actions in SaaS.

E-commerce COD verification

Confirm cash-on-delivery orders to reduce return-to-origin.

EdTech enrolment

Verify student phone on course registration; OTP for parent contact.

Healthcare appointments

Verify patient identity before appointment confirmation.

Gig-economy onboarding

Verify driver/delivery partner phone numbers on signup.

Government & PSU services

Citizen verification for digital service access.

How to implement WhatsApp OTP (5-minute setup)

Sign up at web.zaptilo.ai and generate an API token.
Submit an Authentication-category template (e.g. login_otp) — typically approved within an hour.
Generate a 6-digit OTP server-side, store with expiry (e.g. Redis with 10-minute TTL).
POST to Zaptilo's /api/send/template endpoint with the recipient's number and OTP value.
Verify the user-submitted OTP against your stored value.

cURL

curl -X POST https://web.zaptilo.ai/api/send/template \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "phone": "919876543210",
    "template": {
      "name": "login_otp",
      "language": { "code": "en" },
      "components": [{
        "type": "body",
        "parameters": [{ "type": "text", "text": "482910" }]
      }]
    }
  }'

PHP / Laravel

// PHP / Laravel — using zaptilo/whatsapp Composer package
use Zaptilo\WhatsApp\Zaptilo;

$otp = random_int(100000, 999999);
Cache::put("otp_{$user->phone}", $otp, now()->addMinutes(10));

$client = new Zaptilo(env('ZAPTILO_API_TOKEN'));
$client->sendTemplate(
    phone: '91' . $user->phone,
    templateName: 'login_otp',
    language: 'en',
    bodyValues: [(string) $otp]
);

Node.js

// Node.js — using zaptilo-whatsapp npm package
const { Zaptilo } = require('zaptilo-whatsapp');

const otp = Math.floor(100000 + Math.random() * 900000);
await redis.set(`otp:${phone}`, otp, 'EX', 600);

const wa = new Zaptilo({ token: process.env.ZAPTILO_API_TOKEN });
await wa.sendTemplate(
  `91${phone}`,
  'login_otp',
  'en',
  [String(otp)]
);

Python

# Python — using zaptilo-whatsapp PyPI package
import random, redis
from zaptilo_whatsapp import Zaptilo

otp = random.randint(100000, 999999)
redis_client.set(f"otp:{phone}", otp, ex=600)

client = Zaptilo(token=os.environ['ZAPTILO_API_TOKEN'])
client.send_template(
    phone=f"91{phone}",
    template_name="login_otp",
    language="en",
    body_values=[str(otp)]
)

Full integration guides: Laravel · Node.js · Python · Spring Boot · .NET

OTP best practices

Use a 6-digit numeric OTP. 4-digit is too easy; 8+ adds friction.
Set short expiry (5-10 minutes). Reduces phishing window.
Rate-limit OTP requests per phone number — max 3-5 per hour. Prevents abuse.
Add SMS fallback for the rare user without WhatsApp. Try WhatsApp first, fall back after 30s.
Use Meta's "Copy Code" button in the template — better UX than typing.
Include a security note in the template body ("Don't share this code with anyone").
Log failed verifications to your fraud detection — repeated wrong OTPs is a red flag.

Frequently asked questions

What is WhatsApp OTP API?

WhatsApp OTP API is a programmatic interface for sending one-time passwords (OTPs) and verification codes through WhatsApp instead of SMS. You submit a pre-approved Authentication-category template to Meta, then call the API with the recipient's number and the OTP value at runtime. Meta delivers the message instantly to the user's WhatsApp.

Why use WhatsApp OTP instead of SMS OTP in India?

Three reasons: (1) Higher delivery rate — WhatsApp OTPs reach 95%+ vs ~85% for SMS OTPs in India. (2) Lower cost — WhatsApp authentication is roughly ₹0.12-0.15 per message vs ₹0.18-0.30 for SMS. (3) Faster — WhatsApp delivers in 1-3 seconds with no carrier-side delays. Indian fintechs, banks, and SaaS apps are increasingly switching to WhatsApp OTPs.

How much does WhatsApp OTP cost in India?

Meta charges per-message authentication pricing in India (since 2024) at roughly ₹0.12 per OTP. Add the BSP markup — Zaptilo's per-message rate scales down to ₹0.04 at high volume. Total cost: under ₹0.20 per OTP at most volumes, with no monthly subscription.

Is WhatsApp OTP secure?

Yes. WhatsApp messages are end-to-end encrypted between Meta and the user's device. The OTP value travels encrypted, can only be read on the user's logged-in device, and follows the same security model as any other WhatsApp message. For most use cases it's at least as secure as SMS OTP, often more so (SMS is unencrypted).

How long does WhatsApp OTP take to deliver?

Typically 1-3 seconds in India. Compare to SMS OTPs which can take 10-30 seconds (or fail entirely on saturated carriers). For login flows where users wait staring at the OTP entry box, the difference is noticeable.

Can I send WhatsApp OTPs without the customer having WhatsApp?

No — WhatsApp OTPs only deliver to numbers active on WhatsApp. ~530M Indians use WhatsApp, so coverage is excellent for India, but you need an SMS fallback for the small percentage without WhatsApp. Most Zaptilo customers send WhatsApp first, fall back to SMS if delivery fails or after a 30-second timeout.

What's the format of a WhatsApp Authentication template?

Meta requires Authentication templates to follow a specific structure: a body with the OTP variable, an optional 'Copy Code' button (recommended for UX), and an optional security disclaimer footer. You can't include marketing language. Most templates look like: 'Your verification code is {{1}}. Don't share this code.' Meta reviews these usually in under an hour.

Can WhatsApp OTPs be used for 2FA / two-factor authentication?

Yes. WhatsApp OTPs work as the second factor in any 2FA flow — login, transaction approval, password reset, account verification. Many Indian banks and fintechs use WhatsApp OTPs for transaction confirmation specifically because of higher delivery and lower cost than SMS.

How fast is template approval for OTP messages?

Authentication-category templates are typically approved within an hour — fastest of all categories — because the format is highly constrained. If your template follows Meta's structure (body with OTP variable, security disclaimer), approval is near-instant.

Do I need to write code to send WhatsApp OTPs?

Yes for deep integration, but it's a one-time effort. Zaptilo provides native SDKs for Laravel, Node.js, Python, Spring Boot, .NET, and PL/SQL. Sending an OTP becomes a one-line call. Alternatively, no-code platforms like Zapier can call the Zaptilo API on triggers from your authentication system.

Switch your OTP delivery to WhatsApp today

Cheaper, faster, higher delivery. INR pricing. GST invoice. India-based support.

Get Started Free