Message templates-Authentication

If your mobile app offers users the option to receive one-time passwords or verification codes via the WhatsApp app or WhatsApp Business app, you must use an authentication template with a one-time password button (OTP) to deliver the password or code.

Authentication templates with OTP buttons consist of the following:

  • Preset authentication message template fixed text:
    • <VERIFICATION_CODE> is your verification code.
    • Security disclaimer (optional): For your security, do not share this code.
    • Expiration warning (optional): This code expires in <NUM_MINUTES> minutes.
  • Button: Either a copy code or one-tap autofill button.

The code length cannot exceed 15 characters. URLs, media, and emojis are not supported. Because authentication templates with OTP buttons only consist of preset text and buttons, their risk of being paused is significantly minimized.


Authentication templates must include either a copy code or one-tap autofill button. Buttons behave differently when tapped by a user:

  • A copy code button copies the one-time password or code to the user's clipboard. The user can then manually switch to your app and paste the password or code into your app's interface.
  • A one-tap autofill button automatically loads and passes your app the one-time password or code.

One-tap buttons are the preferred solution as they offer the best user experience. However, one-tap buttons are currently only supported on Android, require changes to your app's code in order to perform a "handshake", and your app's signing key hash. See Handshake and App Signing Key Hash below.

Best Practices

  • Confirm the user's WhatsApp phone number before sending the one-time password or code to that number.
  • Make it clear to your user that the password or code will be delivered to their WhatsApp phone number, especially if you offer multiple ways for the user to receive password or code delivery. See Getting Opt-In for additional tips.
  • When the user pastes the password or code into your app, or your app receives it as part of the one-tap autofill button flow, make it clear to the user that your app has captured it.

Template Creation

Use the YCloud template createto create authentication templates. Alternatively, you can manually create them using the YCloud background.


The components property value must be an array of objects that describes each component that makes up the template. Authentication templates must have the following components:

  • a single body component
  • a single footer component
  • a single OTP Button component

Example Request (One-tap Autfill)

Example Request (Copy Code)

App Signing Key Hash

If you are creating an authentication template that uses a one-tap autofill button, you must include your app signing key hash in the components array.

To calculate your hash, follow Google's instructions for computing your app's hash string.

Alternatively, if you follow Google's instructions and download your app signing key certificate (step 1), you can use your certificate with the shell script to compute the hash. For example:

./ --package "com.example.myapplication" --keystore ~/.android/debug.keystore

Sending Authentication Template Messages

Use YCloud whatsapp api to send authentication template messages.

Note that if you are sending an authentication template that has a one-tap autofill button, you must first initiate a handshake between your app and WhatsApp Messenger or WhatsApp Business. See Handshake below.


If any of your authentication templates use a one-tap autofill button, your app must be able to initiate a "handshake".

A handshake is an Android intent and public class that you implement but that we can start from the WhatsApp app or WhatsApp Business app.

When a user in your app requests a one-time password or verification code and chooses for it to be delivered to their WhatsApp number, first perform the handshake, then call our API to send the authentication template message. When the WhatsApp app or WhatsApp Business app receives the message, it will perform an eligibility check, and if there are no errors, start the intent and display the message to the user. Finally, when the user taps the message's one-tap autofill button, we automatically load your app and pass it the password or code.

If you do not perform a handshake before sending the message, or the message fails an eligibility check, the delivered message will display a copy code button instead of a one-tap button.

Eligibility Checks

The WhatsApp app or WhatsApp Business app performs the following checks when it receives an authentication template message. If any check fails, the one-tap autofill button will be replaced with a copy code button.

  • The handshake was initiated no more than 10 minutes ago.
  • The package name in the message (defined in the package_name property in the components array upon template creation) matches the package name set on the intent. The match is determined through the getCreatorPackage method called in the PendingIntent object provided by your application. See Components and Public Class.
  • The app signing key hash in the message (defined in the signature_hash property in the components array upon template creation) matches your installed app's signing key hash. See Components
  • The message includes the one-tap autofill button text.
  • Your app has defined an activity to receive the password or code. See Activity below.

Android Notifications

Android notifications indicating receipt of a WhatsApp authentication template message will only appear on the user's Android device if:

  • The user is logged into the WhatsApp app or WhatsApp Business app with the phone number (account) that the message was sent to.
  • The user is logged into your app.
  • Android OS is KitKat (4.4, API 19) or above.
  • Show notifications is enabled (Settings > Notifications) in the WhatsApp app or WhatsApp Business app.
  • Device level notification is enabled for the WhatsApp app or WhatsApp Business app.
  • Prior message threads in the WhatsApp app or WhatsApp Business app between the user and your business are not muted.

Client Implementation

Implement the following activity and class in your app.


Declare an activity and intent filter that can receive the one-time password or code. The intent filter must have the action name com.whatsapp.otp.OTP_RETRIEVED.

       <action android:name="com.whatsapp.otp.OTP_RETRIEVED" />

This is the activity that the WhatsApp app or WhatsApp Business app will start once the authentication template message is received and it passes all eligibility checks.

Public Class

Define the activity public class that can accept the code once it has been passed to your app.

public class ReceiveCodeActivity extends AppCompatActivity {

   protected void onCreate(Bundle savedInstanceState) {
       Intent intent = getIntent();
       // retrieve PendingIntent from extras bundle
       PendingIntent pendingIntent = intent.getParcelableExtra("_ci_");
       // verify source of the pendingIntent
       String pendingIntentCreatorPackage = pendingIntent.getCreatorPackage();
       // check if creatorPackage is "com.whatsapp" -> WA consumer app Or
       // "com.whatsapp.w4b" -> WA business app
       if ("com.whatsapp".equals(creatorPackage) || "com.whatsapp.w4b".equals(creatorPackage)) {
         // use OTP code
         String otpCode = intent.getStringExtra("code");

Initiating the Handshake

This example demonstrates one way to initiate a handshake with the WhatsApp app or WhatsApp Business app.

public void sendOtpIntentToWhatsApp() {
   // Send OTP_REQUESTED intent to both WA and WA Business App

private void sendOtpIntentToWhatsApp(String packageName) {

  * Starting with Build.VERSION_CODES.S, it will be required to explicitly 
  * specify the mutability of  PendingIntents on creation with either 
  int flags = Build.VERSION.SDK_INT >= Build.VERSION_CODES.S ? FLAG_IMMUTABLE : 0;
  PendingIntent pi = PendingIntent.getActivity(
      new Intent(), 

  // Send OTP_REQUESTED intent to WhatsApp
  Intent intentToWhatsApp = new Intent();
  // WA will use this to verify the identity of the caller app.
  Bundle extras = intentToWhatsApp.getExtras();
  if (extras == null) {
     extras = new Bundle();
  extras.putParcelable("_ci_", pi);