WhatsApp OTP for Pro+ tenants — native one-time codes for login, reset, and 2FA

Pro and Enterprise tenants connected to Meta WhatsApp Cloud API can now send one-time passcodes over WhatsApp via Meta's native AUTHENTICATION template category. The customer receives a normal WhatsApp message from your verified business name, with a one-tap Copy Code button right under the body. They tap, the code lands on the clipboard, they paste it into your app, they're in. Total time: 2-4 seconds. Cheaper than SMS by a meaningful multiple in most SEA corridors and with higher delivery rates because the message arrives from a recognised business profile.

If you currently fire SMS OTP for login, password reset, or high-value checkout, this is the single biggest cost-saving line-item swap in your stack. The typical SEA SMB sees a 50-80% reduction in OTP delivery costs after the cutover, plus the soft win of higher conversion.

Open Dashboard → WhatsApp → Templates and click + New template. Pick category Authentication. The editor swaps the standard header/body/footer/buttons fields for an auth-only sub-editor — this is intentional, because Meta locks the body text on auth templates and rejects anything else. Body is auto-filled with Meta's required boilerplate ({{1}} is your verification code.) — don't edit it. Pick the OTP button: One-tap copy code (default), Autofill (Android SDK), or Zero-tap copy code. Set code expiration (5-90 minutes for the auto-rendered footer, or 0 for none). Click Submit to Meta. Approval typically returns in under 5 minutes — faster than any other category because there's no marketing-content review.

Once approved, point your existing OTP backend at Botline. Auth is your normal tenant JWT (Settings → API access). Pass the customer's phone in E.164, the template name, and a 4-8 digit code you generated on your side: POST /tenant/otp/send with body { phone, templateName, code }. Botline forwards to Meta Cloud API and the customer's phone receives the OTP as a normal WhatsApp message with a one-tap Copy Code button.

Botline is the delivery channel, not the OTP authority — you generate the code, persist it with a TTL matching the template expiration, and verify on submit. Same way your SMS provider works today; only the gateway changes. Per-tenant rate limit is 100 OTPs/min; plenty for sane volume.

Every successful send writes a row to wa_conversation_cost_log with origin='auth_otp' and category='authentication'. Country is inferred from the phone prefix for per-corridor pricing. The /admin/ai → WA Spend tab gained a dedicated OTP 7d column so you can watch spend live alongside marketing/utility/catalog/flow.

WhatsApp OTP is included on the Pro and Enterprise plans at no upcharge from Botline. You pay Meta directly per Cloud API conversation rate — authentication-tier conversations are typically a fraction of marketing/utility-tier in most SEA corridors. Botline takes nothing on top.

Read the full how-to with worked code examples and a troubleshooting checklist: WhatsApp OTP: native one-time codes for login, password reset, and transaction confirm.