Send one-time verification codes via WhatsApp for authentication and for verifying users’ phone numbers.
Authsignal SDKs can be used to implement WhatsApp OTP challenges in two scenarios.
Sign-in. Use our Server SDKs to authenticate users with WhatsApp OTP as the 1st factor. This integration only requires a phone number to initiate.
Adaptive MFA. Use Server SDKs together with Client SDKs to authenticate users with WhatsApp OTP as a secondary factor. This integration requires a user ID to initiate and assumes the user has already been authenticated with a primary factor.
Scenario - Let users sign-in with WhatsApp OTP as the 1st factor.
Our Server SDKs include methods to initiate and verify a WhatsApp OTP challenge for a given phone number.
These methods are well-suited for passwordless sign-in scenarios where you need to authenticate a user based on their phone number.
You can choose a value for the action here which best describes what the user is doing in your app (e.g. signing in with WhatsApp).
It will be used to track user activity in the Authsignal Portal.
Now that the challenge has been verified, you can lookup the user in your IdP or DB based on their phone number.
For passwordless flows with a combined sign-up and sign-in UX, you may need to create the user at this point if no account exists.
Then claim the challenge once you know the primary user ID associated with the phone number.
Scenario - Challenge users with WhatsApp OTP as a 2nd factor and use rules to decide when
and where in your app to trigger the challenge.
The following steps demonstrate how to implement adaptive MFA with WhatsApp OTP - either at sign-in or as step-up authentication when the user performs a sensitive action in your app (e.g. making a payment).
You can choose a value for the action here which best describes what the user is doing in your app (e.g. signIn or createPayment).
Each action can have its own set of rules.
To learn more about using rules and handling different action states refer to our documentation on actions and rules.
If the action state is CHALLENGE_REQUIRED then you can present a WhatsApp OTP challenge using the Web SDK or Mobile SDK.
Custom UI
Pre-built UI
Copy
Ask AI
// Set token from the track responseauthsignal.setToken("eyJhbGciOiJ...");// Send the user a WhatsApp OTP code// You can call this multiple times via a 'resend' buttonawait authsignal.whatsapp.challenge();// Verify the inputted code matches the original codeconst response = await authsignal.whatsapp.verify({ code: "123456" });// Obtain a new tokenconst token = response.token;
Scenario - Enroll users in WhatsApp OTP while they’re authenticated so it can be used later as
a method for adaptive MFA.
To use WhatsApp OTP for adaptive MFA, users must be enrolled with WhatsApp OTP as an authentication method.
This means their phone number has previously been verified and can be trusted.The following steps demonstrate how to implement an enrollment flow using a Server SDK.
The add:authenticators scope is required to enroll a new WhatsApp authenticator for an existing user.
This scope should only be used when the user is in an already authenticated state.
For more information on using scopes safely refer to our documentation on authenticator binding.
The update:authenticators scope is required to update a user’s existing WhatsApp authenticator to change the phone number.
This scope should only be used when the user is in an already authenticated state.
For more information on using scopes safely refer to our documentation on authenticator binding.
Scenario - Enroll or update a WhatsApp authenticator for a user when you’ve already verified
their phone number in another system, so it can be used later as a method for adaptive MFA.
In some cases you may have already verified a user’s phone number using another system.
This means the user can be enrolled without having to complete a WhatsApp OTP challenge.