Jul 19, 2026

Can You Send OTP Codes on WhatsApp?

Yes, you can send one-time passwords over WhatsApp using an authentication template and the official Cloud API. Here is how it works, what it costs, and why the codes reach US numbers.

Send bulk WhatsApp messages the safe way
Import a CSV, personalize each message, and broadcast on the official WhatsApp Business API. Free tier: 500 messages a month.
Start free →

Short answer: yes, you can send OTP codes on WhatsApp. You do it with an approved authentication template sent over the official WhatsApp Cloud API. Your backend generates the code, passes it to WhatsApp as a template variable, and the message arrives with a native copy-code or one-tap autofill button. Authentication is the one WhatsApp message category that still delivers to US phone numbers in 2026, and each code costs a fraction of a cent.

One-time passwords over WhatsApp have become a standard login option for apps with WhatsApp-heavy audiences. The reason is simple: the code arrives in an app the user already has open, they tap a button instead of retyping six digits, and for international users it is cheaper and more reliable than SMS. Below is exactly how the flow works and what you need to set it up.

What you need to send an OTP on WhatsApp

Three pieces have to be in place before a code can go out. First, a WhatsApp Business number registered on the Cloud API. The free WhatsApp Business app cannot send verification codes to your customers programmatically, so this has to be the API. Second, an approved authentication template. Third, a backend that can make an authenticated HTTP request when a user asks to log in or verify.

The authentication template is the part people get wrong. You do not write the message copy yourself. Meta locks the format so every code looks the same: the body reads like "834912 is your verification code," with an optional security line, "For your security, do not share this code," and an optional expiry note, "This code expires in 5 minutes." You supply only the code. That fixed layout is what allows WhatsApp to attach the copy-code and autofill buttons, because the platform knows exactly where the code sits in the message.

How the send actually works

When a user starts a login or signup, your server generates a code, stores it with a short expiry, and sends a single POST request to the WhatsApp /messages endpoint. The request names your authentication template, sets the language, and passes the code as the body parameter. WhatsApp delivers the message, attaches the button, and returns a delivery status to your webhook so your app knows the code went through. The user taps the button, the code fills in, and your server checks it against the one it stored. The whole round trip takes a couple of seconds.

You can skip the low-level Meta setup by sending through a platform that sits on top of the Cloud API. WaBulkSend handles number registration, template approval, and webhook handling, so your engineers make one clean request per code instead of wiring the full Meta stack. The complete setup, request format, and pricing live on our WhatsApp OTP API page.

The three button styles

Every authentication template uses one of three delivery styles, and the right one depends on where your users verify:

  • Copy code: the user taps a button and the code lands on their clipboard, ready to paste into your website or app. Best for web logins where the user is on a different screen.
  • One-tap autofill: the user taps once and the code is handed straight to your mobile app through a deep link, so nothing is typed. Best for native Android and iOS apps.
  • Zero-tap: your app reads the code from the incoming message automatically with no button at all, for the smoothest possible flow.

Starting June 15, 2026, iOS 26 and later also show the code as a native keyboard suggestion, enabled by default on authentication templates, which makes the copy-code experience even faster on iPhones.

Do the codes reach US numbers?

Yes, and this is the detail that makes WhatsApp OTP worth setting up in the United States. Meta paused delivery of marketing templates to US phone numbers on April 1, 2025, and that pause is still in place as of July 2026. But it never applied to authentication or utility templates. A login code sent to a US number delivers normally. So even though a US marketing blast on WhatsApp will not arrive, a verification code will. That makes OTP one of the few WhatsApp channels a US product can rely on right now, and it slots into the same integration you would use for order and appointment updates.

What it costs

WhatsApp does not publish a US dollar rate in its developer docs, so the honest way to price a code is against a provider that does. Twilio's public US card in July 2026 lists the authentication pass-through at $0.0034 per delivered message plus its own $0.005 platform fee, which puts a delivered US code around $0.0084, or about $8.40 per 1,000. Codes a user requests inside an open 24-hour service window can send without the Meta fee. For most apps, that is cheaper than the SMS they are replacing, especially for international users.

OTP over WhatsApp vs SMS

SMS still reaches every phone, so it remains the universal fallback. But for US A2P traffic it now requires 10DLC brand and campaign registration, it bills per 160-character segment, and the user has to read and type the code. WhatsApp OTP skips 10DLC, delivers with a tap-to-fill button, and runs cheaper for longer or international messages. Most teams do not choose one: they send the code over WhatsApp first and fall back to SMS when the webhook reports a failed delivery. There is a fuller channel breakdown on our WhatsApp vs SMS comparison.

Setting it up cleanly

Verifying a phone number is usually one step inside a larger sign-up or onboarding sequence, so it pays to treat it as part of the whole first-touch experience rather than a bolt-on. Teams that map the full customer onboarding flow tend to get higher completion, because the code request lands at a moment the user expects it instead of interrupting them. Keep code expiry short, rate-limit requests per number to stop abuse, and always send the security disclaimer line so users know not to forward the code.

The bottom line

Sending OTP codes on WhatsApp is straightforward once the authentication template and Cloud API number are in place: generate the code, POST it to the /messages endpoint, and let the copy-code button do the rest. It delivers to US numbers, costs well under a cent per code, and gives users a faster verification than SMS. Start free and send your first verification code, or read the full setup on our WhatsApp OTP API page.