OTP & login codes on WhatsApp
Workflow: your auth service issues a one-time code and needs a fast, user-visible delivery channel. WhatsApp is already on the customer’s phone—WAPing carries the send through a QR-linked business line, with API automation on paid tiers.
The workflow
- User submits email or phone on your login or step-up screen.
- Your server generates a short-lived code and stores a hash server-side.
- Your worker calls WAPing (or an operator triggers a template message) to deliver the code over WhatsApp to the number on file.
- User pastes the code; you validate and continue the session.
Why WhatsApp
Many users already treat WhatsApp as a notification surface. Delivery is often immediate on Wi‑Fi or data, and you avoid maintaining a separate SMS sender ID contract for every country—at the cost of depending on the user having WhatsApp and consent to message them there.
Why WAPing fits
You operate one or more WhatsApp numbers as a business line, linked via QR in WAPing—the same session can also power support replies. That keeps OTP traffic on a line you already monitor for blocks and customer complaints. It is not Meta’s hosted Cloud API product; there is no BSP onboarding queue for this connection model.
Setup approach
- Device — Pair the sending number in device management; keep alerts on disconnect (notifications).
- Copy — Define concise OTP messages; avoid marketing fluff in the same message if you want users to trust it.
- Integration — From your backend, call the REST API with Bearer auth (authentication guide, send message overview). Use idempotency for safe retries.
- Observability — Log WAPing message ids; subscribe to developer webhooks if you need push status into your pipeline.
Best for
- Product-led teams already using WhatsApp for CX.
- Markets where WhatsApp is the default chat app.
- Flows that can fall back to email or SMS if WhatsApp is unavailable.
Not for
- Requirements mandating Meta Cloud API template categories only.
- High-assurance auth without a fallback channel.
- Free-tier-only automation—API keys are not on Free.
Caveats
- If the linked session disconnects, automated OTPs stop until someone reconnects the device.
- Outbound volume follows your plan; burst login events can also hit HTTP rate limits—see rate-limit docs.
- You are responsible for consent, data retention, and not using OTP messages for unsolicited marketing.
FAQ
Is this the same as Meta WhatsApp Business Cloud API authentication templates?
No. WAPing sends from a QR-linked WhatsApp session you control in the dashboard. You compose OTP text according to your policies and WhatsApp’s acceptable-use expectations—you are not completing Meta’s Cloud API template approval flow inside WAPing for this path.
What do I need technically to send OTPs?
A linked device that stays healthy, and—for automated sends from your backend—REST API access (Starter ($29/mo) and up). Free tier does not include API keys; you can still send manually from the app, which rarely scales for login flows.
How do I know the code was delivered?
Use message history in the dashboard and, on eligible setups, developer webhooks for delivery-related events. Exact event names and payloads are on docs.waping.app.
When is SMS or a dedicated auth provider a better fit?
Regulated industries, strict SLAs, or requirements for carrier-grade OTP routing may still prefer SMS or a vendor that specialises in authentication. WAPing fits teams that already run WhatsApp for support or sales and want one channel for login codes without BSP onboarding.
Related
Implementation map
OTP delivery via QR-linked WhatsApp typically uses: Features: REST API, Auto reply, Message log. Guides: Authentication, Send message guide. Pricing and API tiers · Developer docs index.
Wire OTP delivery
Link a device, then integrate sends from your backend (Starter ($29/mo)+ for API). No free-trial gimmicks—start on Free for manual tests or upgrade when you need keys.