Authentication messages that are sent to a user's linked devices are masked with a prompt instructing the user to view the message on their primary device.
## Buttons
Authentication templates must include either a copy code or one-tap autofill button. Buttons behave differently when tapped by a user:
* A **copy code** button copies the one-time password or code to the user's clipboard. The user can then manually switch to your app and paste the password or code into your app's interface.
* A **one-tap autofill** button automatically loads and passes your app the one-time password or code.
* Zero Tap Authentication Templates allow your users to receive one-time passwords or codes via WhatsApp without having to leave your app. See See [Zero-Tap Authentication Templates](/partner/messaging/template-messages/authentication-templates/zero-tap-authentication-templates.md) to learn how to use them.
#### **HandShake and App Signing Hash**
Authentication Templates requires changes to your application in order to perform a "handshake" with Meta, and your app's signing key hash.
See Meta's Official documentation for [Handshake](https://developers.facebook.com/docs/whatsapp/business-management-api/authentication-templates#handshake) and [App Signing Key Hash](https://developers.facebook.com/docs/whatsapp/business-management-api/authentication-templates#app-signing-key-hash).
## Time-To-Live
If Meta is unable to deliver a message to a WhatsApp user, they will continue attempting to deliver the message for a period of time known as a time-to-live.
If Meta is unable to deliver an authentication template for an amount of time that exceeds its time-to-live, they will stop retrying and drop the message. If the time between your authentication template message send request exceeds the time-to-live and you receive no webhook, assume it was dropped.
To override the default time-to-live when creating an authentication template, include the `message_send_ttl_seconds` property with a value set between `60` and `600` seconds.
See [Customizing Time-To-Live](/partner/messaging/template-messages.md#customizing-time-to-live).
#### Best Practices for Authentication Templates
* Confirm the user's WhatsApp phone number before sending the one-time password or code to that number.
* Make it clear to your user that the password or code will be delivered to their WhatsApp phone number, especially if you offer multiple ways for the user to receive password or code delivery. See [Template Messages](/partner/messaging/template-messages.md#best-practices-to-get-your-template-message-approved) for additional tips.
* When the user pastes the password or code into your app, or your app receives it as part of the one-tap autofill button flow, make it clear to the user that your app has captured it.
* [See more of Meta best practices ](https://www.facebook.com/business/help/285737223876109)to follow before you enable zero-tap authentication templates for WhatsApp business accounts
## Creating Authentication Templates
You can use the Partner API to create authentication templates. Alternatively, you can also create it using the 360dialog Hub.
#### In the API
Use the create template [endpoint](https://docs.360dialog.com/docs/messaging-api/api-reference/templates#post-v1-configs-templates) and assemble the authentication components in the request:
The message template name field is limited to 512 characters. The message template content field is limited to 1024 characters.
#### Headers
| Name | Type | Description |
| ------------ | ------ | ----------- |
| D360-API-KEY | string | |
#### Request Body
| Name | Type | Description |
|---|---|---|
| name* | string | |
| components* | array[objects] | Array of objects that describe the components that make up the template. |
| category* | string | Allowed values: AUTHENTICATION |
| language* | string | View list of supported languages here. |
Optional.
Boolean. Set to true if you want the template to include the string: For your security, do not share this code. Set to false to exclude the string.
Optional.
Integer. Indicates number of minutes the password or code is valid.
If omitted, the code expiration warning will not be displayed in the delivered message.
Minimum 1, maximum 90.
| `5` | | `Enum. Indicates button type. Set to COPY\_CODE if you want the template to use a copy code button, or ONE\_TAP to have it use a one-tap autofill button.
See Buttons above.
| `ONE_TAP` | | `String. Copy code button text.
Note that even if your template is using a one-tap autofill button, this value must still be supplied. If Meta's unable to validate your handshake the authentication template message will display a copy code button with this text instead.
Maximum 25 characters.
| `'Copy Code'` | | `One-tap buttons only.
String. One-tap button text.
Maximum 25 characters.
| `'Autofill'` | | `One-tap buttons only.
Your Android app's package name.
| `'com.example.myapplication'` | | `One-tap buttons only.
Your app signing key hash. See Meta's Official documentation for App Signing Key Hash.
| `'K8a%2FAINcGX7'` | **Sample request with components descriptions** ```json { "name": "sample", "language": "es_ES", "category": "AUTHENTICATION", "components": [ { "type": "BODY", "add_security_recommendation": "Required only for Cloud API.
Messaging service used for the request. Use "whatsapp".
| Placeholder | Description | Sample Value |
|---|---|---|
<CUSTOMER_PHONE_NUMBER> | The customer's WhatsApp phone number. | 12015553931 |
<ONE-TIME PASSWORD> | The one-time password or verification code to be delivered to the customer. Note that this value must appear twice in the payload. | J$FpnYnP |
<TEMPLATE_LANGUAGE_CODE> | The template's language and locale code. | en_US |
<TEMPLATE_NAME> | The template's name. | verification_code |