Zero-Tap Authentication Templates

Zero-tap authentication templates allow your users to receive one-time passwords or codes via WhatsApp without having to leave your application.

When a user in your app requests a password or code and you deliver it using a zero-tap authentication template, the WhatsApp client simply broadcasts the included password or code and your app can capture it immediately with a broadcast receiver.

From the user's perspective, they request a password or code in your app and the code appears in your app automatically. If your app user happens to check the message in the WhatsApp client, they will only see a message displaying the default fixed text: < code > is your verification code.

Like one-tap autofill button authentication templates, when the WhatsApp client receives the template message containing the user's password or code, Meta perform a series of eligibility checks. If the message fails this check and Meta is unable to broadcast the password or code, the message will display either a one-tap autofill button or a copy code button. For this reason, when you create a zero-tap authentication template, you must include a one-tap autofill and copy code button in your post body payload, even if the user may never see one of these buttons.

Zero-tap is only supported on Android. If you send a zero-tap authentication template to a WhatsApp user who is using a non-Android device, the WhatsApp client will display a copy code button instead. URLs, media, and emojis are not supported.

When using Zero-Tap authentication templates, you must also perform a handshake and use the App Signing Key Hash to integrate with your software. For this, please refer to Meta's documentation.

Best Practices

Do not make WhatsApp your default password/code delivery method.
Make it clear to your app users that the password or code will be automatically delivered to your app when they select WhatsApp for delivery.
Link to Meta article About security codes that automatically fill on WhatsApp in the help center, to support users who are worried about auto-delivery of the password or code.
After the password/code is used in your app, make it clear to your app user that it was received successfully.

Here are some examples that make it clear to an app user that their code will automatically appear in the app:

Template Creation

In the API

Use the create template endpoint and assemble the authentication components in the request:

The base-url should be https://waba-v2.360dialog.io for Cloud API and https://waba.360dialog.io for On-Premise.

As announced in November 2023, Meta is transitioning to a fully Cloud-hosted WhatsApp Business Platform and will stop supporting On-Premise API in October 2025. Starting from On-Premise client v2.53, all new feature updates will be exclusively delivered to Cloud API. While the On-Premise API client will receive quarterly releases, they will focus solely on bug fixes and security patches.

POST [base-url]/v1/configs/templates

The message template name field is limited to 512 characters. The message template content field is limited to 1024 characters.

Headers

Name

Type

Description

D360-API-KEY

string

Request Body

Name

Type

Description

name*

string

components*

array[objects]

Array of objects that describe the components that make up the template.

category*

string

Allowed values: AUTHENTICATION

language*

string

Upon success, the API will respond with a JSON object describing the newly created template.

{
    "id": "594425479261596",
    "status": "PENDING",
    "category": "AUTHENTICATION"
}

Post Body

{
  "name": "<TEMPLATE_NAME>",
  "language": "<TEMPLATE_LANGUAGE>",
  "category": "authentication",
  "message_send_ttl_seconds": <TIME_TO_LIVE>, // Optional
  "components": [
    {
      "type": "body",
      "add_security_recommendation": <SECURITY_RECOMMENDATION> // Optional
    },
    {
      "type": "footer",
      "code_expiration_minutes": <CODE_EXPIRATION> // Optional
    },
    {
      "type": "buttons",
      "buttons": [
        {
          "type": "otp",
          "otp_type": "zero_tap",
          "text": "<CODY_CODE_BUTTON_TEXT>", // Optional
          "autofill_text": "<AUTOFILL_BUTTON_TEXT>", // Optional
          "package_name": "<PACKAGE_NAME>",
          "signature_hash": "<SIGNATURE_HASH>",
          "zero_tap_terms_accepted": <TERMS_ACCEPTED>
        }
      ]
    }
  ]
}

Note that in your template creation request the button type is designated as otp, but upon creation the button type will be set to url. You can confirm this by performing a GET request on a newly created authentication template and analyzing its components.

Properties

Placeholder

Description

Example Value

<AUTOFILL_BUTTON_TEXT>

String

Optional.

One-tap autofill button label text.

If omitted, the autofill text will default to a pre-set value, localized to the template's language. For example, Autofill for English (US).

Maximum 25 characters.

Autofill

<COPY_CODE_BUTTON_TEXT>

String

Optional.

Copy code button label text.

If omitted, and the message fails the eligibility check and displays a copy code button, the text will default to a pre-set value localized to the template's language. For example, Copy Code for English (US).

Maximum 25 characters.

Copy Code

<CODE_EXPIRATION>

Integer

Optional.

Indicates the number of minutes the password or code is valid.

If omitted, the code expiration warning will not be displayed in the delivered message. If the message fails the eligibility check and displays a one-tap autofill button, the button will be disabled 10 minutes from when the message was sent.

Minimum 1, maximum 90.

5

<PACKAGE_NAME>

String

Required.

Your Android app's package name.

com.example.luckyshrub

<SECURITY_RECOMMENDATION>

Boolean

Optional.

Set to true if you want the template to include the fixed string, For your security, do not share this code. Set to false to exclude the string.

true

<SIGNATURE_HASH>

String

Required.

K8a%2FAINcGX7

<TEMPLATE_LANGUAGE>

String

Required.

en_US

<TEMPLATE_NAME>

String

Required.

Template name.

Maximum 512 characters.

zero_tap_auth_template

<TERMS_ACCEPTED>

Boolean

Required.

Set to true to indicate that you understand that your use of zero-tap authentication is subject to the WhatsApp Business Terms of Service, and that it's your responsibility to ensure your customers expect that the code will be automatically filled in on their behalf when they choose to receive the zero-tap code through WhatsApp.

If set to false, the template will not be created as you need to accept zero-tap terms before creating zero-tap enabled message templates.

true

<TIME_TO_LIVE>

Integer

Optional.

60

Example Request

{
  "name": "zero_tap_auth_template",
  "language": "en_US",
  "category": "authentication",
  "message_send_ttl_seconds": 60,
  "components": [
    {
      "type": "body",
      "add_security_recommendation": true
    },
    {
      "type": "footer",
      "code_expiration_minutes": 5
    },
    {
      "type": "buttons",
      "buttons": [
        {
          "type": "otp",
          "otp_type": "zero_tap",
          "text": "Copy Code",
          "autofill_text": "Autofill",
          "package_name": "com.example.luckyshrub",
          "signature_hash": "K8a%2FAINcGX7",
          "zero_tap_terms_accepted": true
        }
      ]
    }
  ]
}'

Example Response

{
  "id": "594425479261596",
  "status": "PENDING",
  "category": "AUTHENTICATION"
}

Sending Zero-Tap Authentication Template Messages

See our Authentication Templates documentation to learn how to send it to customers.

PreviousAuthentication Templates NextOne-Tap Autofill Authentication Templates

Last updated 9 months ago

Was this helpful?