WhatsApp OTP Verification API — Complete Guide 2026

SMS OTPs have a 98% delivery rate — but only a 30% open rate, and they're increasingly delayed or blocked by carriers. WhatsApp OTPs solve this: near-instant delivery, 98% open rate, and a more familiar experience for your users.

In this guide, you'll learn how to implement WhatsApp OTP verification using the WapiConnect API, with complete code examples.

WhatsApp OTP vs SMS OTP

How WhatsApp OTP Works

1. User enters their phone number in your app/website
2. Your backend generates a random OTP and stores it with an expiry time
3. Your backend calls the WapiConnect API to send the OTP via WhatsApp
4. User receives the OTP on WhatsApp and enters it in your app
5. Your backend validates the OTP and authenticates the user

Step-by-Step Implementation

Step 1 — Generate and Store the OTP

// Node.js — Generate OTP and store in Redis/DB
const crypto = require('crypto');

function generateOTP() {
  return Math.floor(100000 + Math.random() * 900000).toString(); // 6-digit
}

async function createOTPSession(phoneNumber) {
  const otp = generateOTP();
  const expiresAt = Date.now() + 5 * 60 * 1000; // 5 minutes

  // Store in your DB or Redis
  await redis.setex(`otp:${phoneNumber}`, 300, JSON.stringify({ otp, expiresAt }));

  return otp;
}

Step 2 — Send OTP via WhatsApp API

async function sendWhatsAppOTP(phoneNumber) {
  const otp = await createOTPSession(phoneNumber);

  const response = await fetch('https://api.wapiconnect.cloud/api/send-message', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'x-api-key': process.env.WAPICONNECT_API_KEY
    },
    body: JSON.stringify({
      sessionId: process.env.WAPICONNECT_SESSION_ID,
      number: phoneNumber,           // e.g. '919876543210'
      message: `Your WapiConnect verification code is: *${otp}*\n\nThis code expires in 5 minutes. Do not share it with anyone.`
    })
  });

  const data = await response.json();
  if (!data.success) throw new Error('Failed to send OTP: ' + data.error);

  return { sent: true };
}

Step 3 — Verify the OTP

async function verifyOTP(phoneNumber, userEnteredOTP) {
  const stored = await redis.get(`otp:${phoneNumber}`);
  if (!stored) return { valid: false, reason: 'OTP expired or not found' };

  const { otp, expiresAt } = JSON.parse(stored);

  if (Date.now() > expiresAt) {
    await redis.del(`otp:${phoneNumber}`);
    return { valid: false, reason: 'OTP has expired' };
  }

  if (userEnteredOTP !== otp) {
    return { valid: false, reason: 'Incorrect OTP' };
  }

  // OTP valid — delete it so it can't be reused
  await redis.del(`otp:${phoneNumber}`);
  return { valid: true };
}

Python Implementation

import requests
import random
import time

def send_whatsapp_otp(phone_number: str, otp: str) -> bool:
    url = 'https://api.wapiconnect.cloud/api/send-message'
    headers = {
        'Content-Type': 'application/json',
        'x-api-key': 'YOUR_API_KEY'
    }
    message = f"Your verification code is: *{otp}*\n\nExpires in 5 minutes. Do not share."
    payload = {
        'sessionId': 'YOUR_SESSION_ID',
        'number': phone_number,
        'message': message
    }
    resp = requests.post(url, json=payload, headers=headers)
    return resp.json().get('success', False)

Security Best Practices

• Expire OTPs in 5 minutes — longer windows increase brute-force risk.
• Limit retries — block after 5 failed attempts per session.
• Delete OTP after use — prevent replay attacks.
• Rate limit the send endpoint — max 3 OTP requests per phone number per 10 minutes.
• Never log OTPs — treat them like passwords.
• Use 6 digits minimum — 4-digit OTPs are too easy to brute-force.

OTP Message Template Tips

WhatsApp messages with clear formatting convert better. Use this template structure:

Your [AppName] verification code is: *847291*

This code expires in 5 minutes.
Do not share this code with anyone.

— The [AppName] Team

Frequently Asked Questions

Does the recipient need to have my number saved?

No. WhatsApp delivers messages even if the recipient hasn't saved your number, though they may see a "Message from unknown number" notice.

Can I use WhatsApp OTP for 2FA?

Yes — it works identically to SMS 2FA but with faster delivery and higher reliability.

What if the user doesn't have WhatsApp?

We recommend a fallback: detect if delivery fails and send an SMS as a backup. WapiConnect webhooks will notify you of failed deliveries so you can trigger the fallback automatically.