Zero-Tap Authentication Templates

Zero-tap authentication templates allow your users to receive one-time passwords or codes via WhatsApp without having to leave your application.

When a user in your app requests a password or code and you deliver it using a zero-tap authentication template, the WhatsApp client simply broadcasts the included password or code and your app can capture it immediately with a broadcast receiver.

From the user's perspective, they request a password or code in your app and the code appears in your app automatically. If your app user happens to check the message in the WhatsApp client, they will only see a message displaying the default fixed text: < code > is your verification code.

Like one-tap autofill button authentication templates, when the WhatsApp client receives the template message containing the user's password or code, Meta perform a series of eligibility checks. If the message fails this check and Meta is unable to broadcast the password or code, the message will display either a one-tap autofill button or a copy code button. For this reason, when you create a zero-tap authentication template, you must include a one-tap autofill and copy code button in your post body payload, even if the user may never see one of these buttons.

Zero-tap is only supported on Android. If you send a zero-tap authentication template to a WhatsApp user who is using a non-Android device, the WhatsApp client will display a copy code button instead. URLs, media, and emojis are not supported.

When using Zero-Tap authentication templates, you must also perform a handshake and use the App Signing Key Hash to integrate with your software. For this, please refer to Meta's documentation.

Best Practices

  • Do not make WhatsApp your default password/code delivery method.

  • Make it clear to your app users that the password or code will be automatically delivered to your app when they select WhatsApp for delivery.

  • Link to Meta article About security codes that automatically fill on WhatsApp in the help center, to support users who are worried about auto-delivery of the password or code.

  • After the password/code is used in your app, make it clear to your app user that it was received successfully.

Here are some examples that make it clear to an app user that their code will automatically appear in the app:

Template Creation

You can use the WABA API to create zero-tap authentication templates. Alternatively, you can also create it using the WhatsApp Business Manager.

Use the create template endpoint and assemble the authentication components in the request:

The base-url should be https://waba-v2.360dialog.io for Cloud API and https://waba.360dialog.io for On-Premise.

If you are using On-Premise API, remember that it is being discontinued by Meta. No new signups will be allowed with this type of integration from May 15, 2024.

Numbers registered before this date will still be supported, but should start planning a change of hosting type as soon as possible.

POST [base-url]/v1/configs/templates

The message template name field is limited to 512 characters. The message template content field is limited to 1024 characters.

Headers

Request Body

Upon success, the API will respond with a JSON object describing the newly created template.

{
    "id": "594425479261596",
    "status": "PENDING",
    "category": "AUTHENTICATION"
}

Post Body

{
  "name": "<TEMPLATE_NAME>",
  "language": "<TEMPLATE_LANGUAGE>",
  "category": "authentication",
  "message_send_ttl_seconds": <TIME_TO_LIVE>, // Optional
  "components": [
    {
      "type": "body",
      "add_security_recommendation": <SECURITY_RECOMMENDATION> // Optional
    },
    {
      "type": "footer",
      "code_expiration_minutes": <CODE_EXPIRATION> // Optional
    },
    {
      "type": "buttons",
      "buttons": [
        {
          "type": "otp",
          "otp_type": "zero_tap",
          "text": "<CODY_CODE_BUTTON_TEXT>", // Optional
          "autofill_text": "<AUTOFILL_BUTTON_TEXT>", // Optional
          "package_name": "<PACKAGE_NAME>",
          "signature_hash": "<SIGNATURE_HASH>",
          "zero_tap_terms_accepted": <TERMS_ACCEPTED>
        }
      ]
    }
  ]
}

Note that in your template creation request the button type is designated as otp, but upon creation the button type will be set to url. You can confirm this by performing a GET request on a newly created authentication template and analyzing its components.

Properties

Example Request

{
  "name": "zero_tap_auth_template",
  "language": "en_US",
  "category": "authentication",
  "message_send_ttl_seconds": 60,
  "components": [
    {
      "type": "body",
      "add_security_recommendation": true
    },
    {
      "type": "footer",
      "code_expiration_minutes": 5
    },
    {
      "type": "buttons",
      "buttons": [
        {
          "type": "otp",
          "otp_type": "zero_tap",
          "text": "Copy Code",
          "autofill_text": "Autofill",
          "package_name": "com.example.luckyshrub",
          "signature_hash": "K8a%2FAINcGX7",
          "zero_tap_terms_accepted": true
        }
      ]
    }
  ]
}'

Sending Zero-Tap Authentication Template Messages

See our Authentication Templates documentation to learn how to send it to customers.

Last updated