Authentication Templates

Starting April 1, 2024, any existing authentication template that is not an authentication template with a one-time password button cannot be sent, edited, or appealed. Authentication templates are available in India since July 1, 2024.

Authentication templates enables businesses to authenticate users with one-time passcodes (usually 4-8 digit alphanumeric codes), potentially at multiple steps in the login process (e.g., account verification, account recovery, integrity challenges).

If your mobile app offers users the option to receive one-time passwords or verification codes via WhatsApp, you must use an authentication template.

It's appropriate to use an authentication template when:

Definition

Examples

Providing an authentication code to the user

"{{1}} is your verification code."
"{{1}} is your verification code. For your security, do not share this code."
"{{1}} is your verification code. This code expires in 15 minutes."

Authentication Template Requirements

Authentication templates include optional add-ons like security disclaimers and expiry warnings. In addition, authentication templates must have a one-time password button (copy code or one-tap).

It consist of:

Fixed preset text: <VERIFICATION_CODE> is your verification code.
An optional security disclaimer: For your security, do not share this code.
An optional expiration warning: This code expires in <NUM_MINUTES> minutes.
Either a one-tap autofill button, a copy code button, or no button at all if using zero-tap.

URLs, media, and emojis are not supported. Because authentication templates with OTP buttons only consist of preset text and buttons, their risk of being paused is significantly minimized.

Linked Device Security

This feature is enabled by default by Meta and does not require code changes. It cannot be configured or customized. It is only available on Cloud API.

Authentication templates now feature linked device security. This means that authentication messages are only delivered to a user's primary WhatsApp device.

Authentication messages that are sent to a user's linked devices are masked with a prompt instructing the user to view the message on their primary device.

Buttons

Authentication templates must include either a copy code or one-tap autofill button. Buttons behave differently when tapped by a user:

A copy code button copies the one-time password or code to the user's clipboard. The user can then manually switch to your app and paste the password or code into your app's interface.
A one-tap autofill button automatically loads and passes your app the one-time password or code.
Zero Tap Authentication Templates allow your users to receive one-time passwords or codes via WhatsApp without having to leave your app. See See Zero-Tap Authentication Templates to learn how to use them.

HandShake and App Signing Hash

Authentication Templates requires changes to your application in order to perform a "handshake" with Meta, and your app's signing key hash.

See Meta's Official documentation for Handshake and App Signing Key Hash.

Time-To-Live

If Meta is unable to deliver a message to a WhatsApp user, they will continue attempting to deliver the message for a period of time known as a time-to-live.

If Meta is unable to deliver an authentication template for an amount of time that exceeds its time-to-live, they will stop retrying and drop the message. If the time between your authentication template message send request exceeds the time-to-live and you receive no webhook, assume it was dropped.

To override the default time-to-live when creating an authentication template, include the message_send_ttl_seconds property with a value set between 60 and 600 seconds.

See Customizing Time-To-Live.

Best Practices for Authentication Templates

Confirm the user's WhatsApp phone number before sending the one-time password or code to that number.
Make it clear to your user that the password or code will be delivered to their WhatsApp phone number, especially if you offer multiple ways for the user to receive password or code delivery. See Template Messages for additional tips.
When the user pastes the password or code into your app, or your app receives it as part of the one-tap autofill button flow, make it clear to the user that your app has captured it.
See more of Meta best practices to follow before you enable zero-tap authentication templates for WhatsApp business accounts

Creating Authentication Templates

You can use the Partner API to create authentication templates. Alternatively, you can also create it using the 360dialog Hub.

In the API

Use the create template endpoint and assemble the authentication components in the request:

The base-url should be https://waba-v2.360dialog.io for Cloud API and https://waba.360dialog.io for On-Premise.

As announced in November 2023, Meta is transitioning to a fully Cloud-hosted WhatsApp Business Platform and will stop supporting On-Premise API in October 2025. Starting from On-Premise client v2.53, all new feature updates will be exclusively delivered to Cloud API. While the On-Premise API client will receive quarterly releases, they will focus solely on bug fixes and security patches.

POST https://waba-v2.360dialog.io/v1/configs/templates

The message template name field is limited to 512 characters. The message template content field is limited to 1024 characters.

Headers

Name

Type

Description

D360-API-KEY

string

Request Body

Name

Type

Description

name*

string

components*

array[objects]

Array of objects that describe the components that make up the template.

category*

string

Allowed values: AUTHENTICATION

language*

string

Upon success, the API will respond with a JSON object describing the newly created template.

Components

The components value in the request must be an array of objects that describes each component that makes up the template. Authentication templates must have the following components:

a single body component
a single footer component
a single OTP Button component

Properties

Placeholder

Description

Sample Value

<ADD_SECURITY_RECOMMENDATION>

Optional.

Boolean. Set to true if you want the template to include the string: For your security, do not share this code. Set to false to exclude the string.

true

<CODE_EXPIRATION_MINUTES>

Optional.

Integer. Indicates number of minutes the password or code is valid.

If omitted, the code expiration warning will not be displayed in the delivered message.

Minimum 1, maximum 90.

5

<OTP_TYPE>

Enum. Indicates button type. Set to COPY_CODE if you want the template to use a copy code button, or ONE_TAP to have it use a one-tap autofill button.

ONE_TAP

<TEXT>

String. Copy code button text.

Maximum 25 characters.

'Copy Code'

<AUTOFILL_TEXT>

One-tap buttons only.

String. One-tap button text.

Maximum 25 characters.

'Autofill'

<PACKAGE_NAME>

One-tap buttons only.

Your Android app's package name.

'com.example.myapplication'

<SIGNATURE_HASH>

One-tap buttons only.

'K8a%2FAINcGX7'

Sample request with components descriptions

    {
        "name": "sample",
        "language": "es_ES",
        "category": "AUTHENTICATION",
        "components": [
            {
            "type": "BODY", 
            "add_security_recommendation": "<ADD_SECURITY_RECOMMENDATION>" /*#Optional*/
            },
            {
            "type": "FOOTER", 
            "code_expiration_minutes": "<CODE_EXPIRATION_MINUTES>" /*Optional*/
            },
            { 
            "type": "BUTTONS",
            "buttons": [
                    {
                "type": "OTP",
                "otp_type": "<OTP_TYPE>",
                "text": "<TEXT>",
                "autofill_text": "<AUTOFILL_TEXT>", /*One-tap buttons only*/
                "package_name": "<PACKAGE_NAME>", /*One-tap buttons only*/
                "signature_hash": "<SIGNATURE_HASH>" /*#One-tap buttons only*/
                    }
                ]
            }
        ],
    }

Sample Copy Code Button Components Value

[
  {
    "type": "BODY", 
    "add_security_recommendation": true
  }, 
  {
    "type": "FOOTER", 
    "code_expiration_minutes": 5
  },
  { 
    "type": "BUTTONS",
    "buttons": [
      {
        "type": "OTP",
        "otp_type": "COPY_CODE",
        "text": "Copy Code"
      }
    ]
  }
]

Sample One-tap Autofill Button Components Value

[
  {
    "type": "BODY", 
    "add_security_recommendation": true
  }, 
  {
    "type": "FOOTER", 
    "code_expiration_minutes": 5
  },
  { 
    "type": "BUTTONS",
    "buttons": [
      {
        "type": "OTP",
        "otp_type": "ONE_TAP",
        "text": "Copy Code",
        "autofill_text": "Autofill",
        "package_name": "com.example.myapplication",
        "signature_hash": "K8a%2FAINcGX7"
      }
    ]
  }
]

Sending Authentication Templates

POST https://waba-v2.360dialog.io/messages

Request Body

Name

Type

Description

name

String

Name of the template.

type

String

Message type

String

Recipient wa_id

messaging_product

String

Required only for Cloud API. Messaging service used for the request. Use "whatsapp".

components

String

language

String

Placeholder

Description

Sample Value

<CUSTOMER_PHONE_NUMBER>

The customer's WhatsApp phone number.

12015553931

<ONE-TIME PASSWORD>

The one-time password or verification code to be delivered to the customer.

Note that this value must appear twice in the payload.

J$FpnYnP

<TEMPLATE_LANGUAGE_CODE>

en_US

<TEMPLATE_NAME>

The template's name.

verification_code

Sample payload with Copy Code Button

{
  "messaging_product": "whatsapp",
  "recipient_type": "individual",
  "to": "<CUSTOMER_PHONE_NUMBER>",
  "type": "template",
  "template": {
    "name": "<TEMPLATE_NAME>",
    "language": {
      "code": "<TEMPLATE_LANGUAGE_CODE>"
    }
  },
  "components": [
    {
      "type": "body",
      "parameters": [
        {
          "type": "text",
          "text": "<ONE-TIME PASSWORD>"
        }
      ]
    },
    {
      "type": "BUTTONS",
      "buttons": [
        {
          "type": "OTP",
          "otp_type": "COPY_CODE",
          "text": "Copy Code"
        }
      ]
    }
  ]
}

[will be deprecated] If the WABA is registered in On-Premise API

POST https://waba.360dialog.io/v1/messages

Request Body

Name

Type

Description

Recepient_wa_id

language

String

Contains a language object. Specifies the language the template may be rendered in.

The language object can contain the following fields:

policystring – Required. The language policy the message should follow. The only supported option is deterministic.

codestring – Required. The code of the language or locale to use.

Accepts both language andlanguage_locale formats (e.g., en and en_US).

name

String

Name of the template.

namespace

Namespace of the template.

components

String

If a template is sent to an account that is incapable of receiving the authentication template, the 1026 (ReceiverIncapable) error will be sent in the error object to the configured Webhook server.

Sample payload with Copy Code Button

{
    "to": "wa_id",
    "type": "template",
    "template": {
        "namespace": "c8ae5f90_307a_ca4c_b8f6_d1e2a2573574",
        "language": {
            "policy": "deterministic",
            "code": "en"
        },
        "name": "template_name",
        "components":[
  {
    "type": "BODY", 
    "add_security_recommendation": true
  }, 
  {
    "type": "FOOTER", 
    "code_expiration_minutes": 5
  },
  { 
    "type": "BUTTONS",
    "buttons": [
      {
        "type": "OTP",
        "otp_type": "COPY_CODE",
        "text": "Copy Code"
      }
    ]
  }
]

PreviousSending Template Messages NextZero-Tap Authentication Templates

Last updated 3 months ago