Zero-Tap Authentication Templates
Last updated
Was this helpful?
Last updated
Was this helpful?
Zero-tap authentication templates allow your users to receive one-time passwords or codes via WhatsApp without having to leave your application.
When a user in your app requests a password or code and you deliver it using a zero-tap authentication template, the WhatsApp client simply broadcasts the included password or code and your app can capture it immediately with a broadcast receiver.
From the user's perspective, they request a password or code in your app and the code appears in your app automatically. If your app user happens to check the message in the WhatsApp client, they will only see a message displaying the default fixed text: < code > is your verification code.
Like one-tap autofill button authentication templates, when the WhatsApp client receives the template message containing the user's password or code, Meta perform a series of eligibility checks. If the message fails this check and Meta is unable to broadcast the password or code, the message will display either a one-tap autofill button or a copy code button. For this reason, when you create a zero-tap authentication template, you must include a in your post body payload, even if the user may never see one of these buttons.
Zero-tap is only supported on Android. If you send a zero-tap authentication template to a WhatsApp user who is using a non-Android device, the WhatsApp client will display a copy code button instead. URLs, media, and emojis are not supported.
Do not make WhatsApp your default password/code delivery method.
Make it clear to your app users that the password or code will be automatically delivered to your app when they select WhatsApp for delivery.
Link to Meta article in the help center, to support users who are worried about auto-delivery of the password or code.
After the password/code is used in your app, make it clear to your app user that it was received successfully.
Here are some examples that make it clear to an app user that their code will automatically appear in the app:
Use the create template endpoint and assemble the authentication components in the request:
The base-url should be https://waba-v2.360dialog.io for Cloud API and https://waba.360dialog.io for On-Premise.
As announced in November 2023, Meta is transitioning to a fully Cloud-hosted WhatsApp Business Platform and will stop supporting On-Premise API in October 2025. Starting from On-Premise client v2.53, all new feature updates will be exclusively delivered to Cloud API. While the On-Premise API client will receive quarterly releases, they will focus solely on bug fixes and security patches.
POST [base-url]/v1/configs/templates
The message template name field is limited to 512 characters. The message template content field is limited to 1024 characters.
D360-API-KEY
string
name*
string
components*
array[objects]
Array of objects that describe the components that make up the template.
category*
string
Allowed values: AUTHENTICATION
language*
string
Upon success, the API will respond with a JSON object describing the newly created template.
Note that in your template creation request the button type is designated as otp, but upon creation the button type will be set to url. You can confirm this by performing a GET request on a newly created authentication template and analyzing its components.
<AUTOFILL_BUTTON_TEXT>
String
Optional.
One-tap autofill button label text.
If omitted, the autofill text will default to a pre-set value, localized to the template's language. For example, Autofill for English (US).
Maximum 25 characters.
Autofill
<COPY_CODE_BUTTON_TEXT>
String
Optional.
Copy code button label text.
If omitted, and the message fails the eligibility check and displays a copy code button, the text will default to a pre-set value localized to the template's language. For example, Copy Code for English (US).
Maximum 25 characters.
Copy Code
<CODE_EXPIRATION>
Integer
Optional.
Indicates the number of minutes the password or code is valid.
If omitted, the code expiration warning will not be displayed in the delivered message. If the message fails the eligibility check and displays a one-tap autofill button, the button will be disabled 10 minutes from when the message was sent.
Minimum 1, maximum 90.
5
<PACKAGE_NAME>
String
Required.
Your Android app's package name.
com.example.luckyshrub
<SECURITY_RECOMMENDATION>
Boolean
Optional.
Set to true if you want the template to include the fixed string, For your security, do not share this code. Set to false to exclude the string.
true
<SIGNATURE_HASH>
String
Required.
K8a%2FAINcGX7
<TEMPLATE_LANGUAGE>
String
Required.
en_US
<TEMPLATE_NAME>
String
Required.
Template name.
Maximum 512 characters.
zero_tap_auth_template
<TERMS_ACCEPTED>
Boolean
Required.
Set to true to indicate that you understand that your use of zero-tap authentication is subject to the WhatsApp Business Terms of Service, and that it's your responsibility to ensure your customers expect that the code will be automatically filled in on their behalf when they choose to receive the zero-tap code through WhatsApp.
If set to false, the template will not be created as you need to accept zero-tap terms before creating zero-tap enabled message templates.
true
<TIME_TO_LIVE>
Integer
Optional.
60
If the message fails the and displays a copy code button, the button will use this text label.
If included, the code expiration warning and this value will be displayed in the delivered message. If the message fails the and displays a one-tap autofill button, the button will be disabled in the delivered message the indicated number of minutes from when the message was sent.
Your app signing key hash. See below.
Template .
Authentication message time-to-live value, in seconds. See .
See ourto learn how to send it to customers.
