Tutorials

How to Send WhatsApp OTP Notifications in 2026

Gaurav Verma
May 15, 2026
TABLE OF CONTENTS

Last Updated: May 2026

WhatsApp authentication messages now cost $0.006 per delivery in the United States, less than half the price of a typical 10DLC SMS. Combined with read rates above 90% and median delivery times under 3 seconds, this is the cheapest reliable OTP channel a US product team can use in 2026. (Source: WhatsApp Business Platform Pricing)

This guide walks through sending WhatsApp OTP notifications end-to-end: creating an authentication template, connecting WhatsApp Cloud API, building a workflow that delivers the code, and falling back to SMS or email when WhatsApp fails. Every code sample and field name is taken from current SuprSend and Meta documentation.

What We're Building

By the end of this tutorial, your backend will be able to call one API endpoint, pass a phone number and a one-time code, and have a WhatsApp OTP delivered to that user in under 3 seconds. The same workflow will automatically fall back to SMS if the user does not have WhatsApp on the number, or to email if SMS also fails.

The architecture has three pieces:

  • Meta WhatsApp Cloud API: Meta's hosted infrastructure for sending WhatsApp messages to users.
  • Authentication template: A pre-approved message format that Meta requires for OTP delivery.
  • SuprSend workflow: The orchestration layer that triggers the template, handles fallback, and records logs.

Why WhatsApp for OTP in 2026

Three things changed for WhatsApp OTP between 2024 and 2026 that affect the buying decision:

  1. Per-message pricing replaced conversation-based pricing on July 1, 2025. Meta now bills authentication, utility, and marketing templates separately at flat per-message rates. Predicting cost no longer requires modeling 24-hour conversation windows.
  2. North America authentication rates dropped on January 1, 2026. Authentication template messages to US users now cost $0.006 each, lower than the typical $0.0118 to $0.0133 for a single 10DLC SMS after carrier fees. (Source: Twilio US SMS Pricing)
  3. One-tap autofill is widely supported. Meta's one-tap and zero-tap authentication buttons let the recipient pass the code back to your app without manual entry, removing the most common OTP failure mode (user mistypes the code).

The trade-off is that WhatsApp OTP only works for users who have WhatsApp installed and have opted in to receive messages from your business. For US-only products, SMS coverage is broader. For products with significant international users, WhatsApp typically wins on both cost and delivery reliability. The right design is to attempt WhatsApp first and fall back to SMS.

For a wider comparison of channels, see email vs SMS notifications and the 3-channel decision guide.

Prerequisites

Before writing code, you need these set up:

  • A Meta Business Suite account with a verified business and a WhatsApp Business Account (WABA).
  • A phone number registered with WhatsApp Business Cloud API. You can use a new number or migrate an existing one from the WhatsApp Business app.
  • A Meta system user with a permanent access token. Temporary tokens expire after 24 hours and break production deploys.
  • A SuprSend account. The free tier is enough to follow this tutorial end-to-end.
  • Node.js 18+ or any backend that can call a REST API. Code samples below are in Node.js but the SuprSend REST API works from any language.

If you have not done the Meta side before, follow Meta's WhatsApp Cloud API getting-started guide first. The token, phone number ID, WABA ID, and app ID you generate there are what you will plug into SuprSend in Step 2.

Step 1: Create Your WhatsApp Authentication Template

Meta requires every WhatsApp message sent outside an active conversation to use a pre-approved template. For OTPs, you create a template under the Authentication category (distinct from Utility and Marketing).

Authentication templates have a specific structure that Meta enforces:

  • Body: A single variable for the OTP code. Example: Your verification code is {{1}}. It expires in 10 minutes.
  • No header or footer. Authentication templates do not allow rich media.
  • Button type: Choose one of Copy Code (user manually copies), One-Tap Autofill (Android only, code is filled into your app automatically), or Zero-Tap (silent verification on Android with the user's prior consent).

Create the template through Meta Business Suite or the WhatsApp Manager. Authentication templates are usually approved in seconds; in rare cases approval takes up to 24 hours.

Once approved, also create the template in SuprSend with the same name. SuprSend uses Handlebars-style variables ({{otp_code}}) and converts them to Meta's positional format ({{1}}) when submitting for approval. SuprSend's WhatsApp template guidelines cover the formatting rules Meta enforces.

Step 2: Connect WhatsApp Cloud API to SuprSend

In the SuprSend dashboard, go to Vendors, choose WhatsApp, and select WhatsApp Cloud API. You will need four pieces of information from Meta:

Field Where to Find It
Phone Number ID Meta App Dashboard, WhatsApp > API Setup
Access Token Meta Business Suite, generated for a system user (permanent token)
WABA ID (WhatsApp Business Account ID) Meta App Dashboard, same API Setup section
App ID Meta Developers, your app list

The WABA ID and App ID are what let SuprSend submit templates for approval on your behalf. Without them, you create templates manually in WhatsApp Manager and sync them into SuprSend.

Follow the full setup steps in the SuprSend WhatsApp Cloud API integration guide. The same workflow supports other WhatsApp providers like Gupshup, Karix, and Netcore if you already use one of them for marketing campaigns.

Step 3: Build the OTP Workflow

In the SuprSend dashboard, create a new workflow with a slug like send_otp_whatsapp. Add a single WhatsApp delivery node that references the authentication template you created in Step 1. Map the template variable ({{otp_code}}) to a data field from the trigger payload.

Two settings matter for OTP:

  • Channel routing: Set WhatsApp as the primary delivery channel. We will add SMS fallback in Step 5.
  • Throttling: Rate-limit per user (for example, max 3 OTPs per phone number per 5 minutes) to prevent abuse and credit burn.

The workflow engine handles the orchestration. See the design workflow doc for the visual editor walkthrough.

Step 4: Trigger the OTP From Your Backend

When a user requests an OTP, your backend generates the code, stores its hash with an expiry (5 to 10 minutes is standard), and calls the SuprSend workflow.

Node.js example using the SuprSend SDK:

const { randomUUID } = require("crypto");
const { Suprsend, WorkflowTriggerRequest } = require("@suprsend/node-sdk");

const suprClient = new Suprsend(
 process.env.SUPRSEND_WORKSPACE_KEY,
 process.env.SUPRSEND_WORKSPACE_SECRET
);

async function sendWhatsAppOtp(userId, phoneE164, otpCode) {
 const body = {
   workflow: "send_otp_whatsapp",
   recipients: [{ distinct_id: userId, $whatsapp: phoneE164 }],
   data: { otp_code: otpCode }
 };

 const trigger = new WorkflowTriggerRequest(body, {
   idempotency_key: randomUUID()
 });

 const response = await suprClient.workflows.trigger(trigger);

 if (!response.success) {
   throw new Error(`OTP trigger failed: ${response.message}`);
 }

 return response;
}

// Usage
await sendWhatsAppOtp("user_42", "+14155550100", "318492");

REST equivalent using cURL is documented in the SuprSend trigger workflow reference.

Three details to get right in production:

  • Phone number format: E.164 with leading + and country code (+14155550100). WhatsApp rejects everything else.
  • Idempotency key: Include one. If your retry logic fires twice, the second request returns the original result instead of sending a duplicate OTP.
  • Never log the OTP server-side. Store only its hash with the expiry timestamp. The OTP itself lives only in the request payload and the WhatsApp message.

For deeper coverage of the SuprSend trigger payload, see the trigger workflow documentation.

Step 5: Handle Delivery Failures With Fallback

WhatsApp delivery can fail for several reasons: the user does not have WhatsApp installed, has not opted in, has blocked your business number, or is on a number from a region where Meta cannot deliver. For production OTPs, you cannot accept silent failure.

Two fallback patterns work well, and both live inside the SuprSend workflow rather than your application code:

  1. Multi-channel fallback: Configure the workflow to attempt WhatsApp first. If delivery confirmation does not arrive within a timeout (typically 30 seconds for OTP), the workflow automatically attempts SMS via Twilio or Plivo. If SMS fails, fall back to email.
  2. Vendor fallback within WhatsApp: If you use two WhatsApp providers (for example, Meta Cloud API as primary and Gupshup as secondary), the Vendor Fallback feature routes to the next provider if the primary fails. Useful for global rollouts where one provider may have regional issues.

The smart routing page covers the channel-level fallback pattern in more detail.

Testing the Flow

Test in SuprSend's Sandbox workspace first. Sandbox comes with pre-configured vendors so you can verify the workflow without setting up Meta credentials, but it will only deliver to verified phone numbers you add through the dashboard.

Once Sandbox sends successfully, switch to Staging or Production:

  1. Add your WhatsApp Cloud API credentials in the Staging workspace's Vendors section.
  2. Trigger the workflow from your staging backend.
  3. Check the Requests log for the API call, Executions for the workflow run, and Messages for the WhatsApp delivery status.
  4. Verify the OTP arrives on a real phone with a registered WhatsApp account.
  5. Verify the SMS fallback by temporarily disabling WhatsApp on the test number and retriggering.

SuprSend's logging shows step-by-step what happened for each notification, including which vendor was attempted, the response code, and any error message.

What It Costs

The two cost components are Meta's per-message charge and your notification platform's fee.

Item Cost (US, May 2026)
WhatsApp authentication message (Meta) $0.006 per message
Typical 10DLC SMS for comparison (Twilio) $0.0118–$0.0133 per message
SuprSend Free plan 10,000 notifications/month included, no per-message fee

For a product sending 1 million OTPs per month at the US authentication rate, the Meta cost is roughly $6,000/month. The same volume on SMS would run $11,800 to $13,300/month before SuprSend's fee. Volume discounts on WhatsApp authentication can reduce the Meta cost further past a few million messages.

Meta's full pricing structure (utility, authentication, marketing template rates by country) lives on the WhatsApp Business Platform Pricing page.

Frequently Asked Questions

Do users need to opt in to receive WhatsApp OTPs?

Yes. Meta requires users to have consented to receive WhatsApp messages from your business. For OTPs, opt-in usually happens during signup ("Receive my login codes on WhatsApp instead of SMS"). The first message Meta sends to a recipient is also subject to anti-spam checks.

How fast is WhatsApp OTP delivery?

Median delivery is under 3 seconds globally. Cellular signal is not required because WhatsApp works over WiFi or mobile data. The catch is the user must have WhatsApp installed and be reachable on the device.

Can I send WhatsApp OTP without an approved template?

No. Meta requires every business-initiated WhatsApp message outside an active 24-hour conversation to use a pre-approved template. For OTPs, the template must be in the Authentication category. Templates are usually approved in seconds.

Is WhatsApp OTP more secure than SMS?

WhatsApp uses end-to-end encryption between sender and recipient, which SMS does not. SMS is vulnerable to SIM-swap attacks and SS7 interception. WhatsApp OTPs sidestep both. The trade-off is that users need WhatsApp installed and a stable internet connection.

What happens if the user does not have WhatsApp?

Meta returns a delivery failure within seconds. Your workflow should fall back to SMS or email automatically. Building this fallback inside a notification infrastructure platform like SuprSend avoids hard-coding retry logic into your authentication service.

Can I use one-tap autofill on iOS?

No. Meta's one-tap and zero-tap autofill buttons work on Android only as of May 2026. iOS users see a Copy Code button instead and tap to copy the code into their clipboard. Plan your UX for both platforms.

Summary

Sending WhatsApp OTP notifications in 2026 means setting up a Meta WhatsApp Business Account, creating an authentication template, connecting WhatsApp Cloud API to a notification infrastructure platform, and building a workflow that handles delivery plus fallback. The end-to-end setup takes a day for an experienced developer, and the resulting per-message cost (around $0.006 in the US) is roughly half the price of SMS.

The pieces worth getting right are the authentication template (Meta enforces strict format), the permanent access token (temporary ones break production), and the fallback path (WhatsApp will fail for some users; have SMS or email ready).

Want to send WhatsApp OTPs with built-in SMS and email fallback? Start building for free or book a demo to see SuprSend's WhatsApp + SMS + email orchestration in action.

Written by:
Gaurav Verma
Co-Founder, SuprSend
Implement a powerful stack for your notifications
Get Started For FreeBook Demo
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept

Get 10% OFF on your next order

Subscribe to our newsletter and receive a 10% OFF coupon to use on your next order.

Please check your email for your 10% OFF coupon
Oops! Something went wrong while submitting the form.