> ## Documentation Index
> Fetch the complete documentation index at: https://docs.authsignal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WhatsApp OTP

> Use the Web SDK to implement WhatsApp authentication.

<Info>
  All Web SDK methods for WhatsApp require you to [initiate an action
  first](/sdks/client/web/actions). Check out our [guide on WhatsApp
  authentication](/authentication-methods/whatsapp-otp) for more details.
</Info>

## Challenge

Start enrollment re-authentication for an existing WhatsApp authenticator by sending the user a WhatsApp message containing an OTP code.

```ts theme={null}
const response = await authsignal.whatsapp.challenge();
```

### Response

<ResponseField name="response" type="AuthsignalResponse<ChallengeResponse>">
  <Expandable title="properties">
    <ResponseField name="data" type="ChallengeResponse">
      <Expandable title="properties">
        <ResponseField name="challengeId" type="string">
          The ID of the Authsignal challenge.
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="errorCode" type="string">
      See the [Error handling](/sdks/client/web/error-handling) section for more details.
    </ResponseField>

    <ResponseField name="errorDescription" type="string" />
  </Expandable>
</ResponseField>

## Verify

Finish enrolling or re-authenticating a WhatsApp OTP authenticator by verifying the code submitted by the user.

```ts theme={null}
const response = await authsignal.whatsapp.verify({ code: "123456" });
```

### Parameters

<ResponseField name="code" type="string">
  The OTP code inputted by the user.
</ResponseField>

### Response

<ResponseField name="response" type="AuthsignalResponse<VerifyResponse>">
  <Expandable title="properties">
    <ResponseField name="data" type="VerifyResponse">
      <Expandable title="properties">
        <ResponseField name="isVerified" type="boolean" required>
          True if the verification was successful.
        </ResponseField>

        <ResponseField name="token" type="string">
          A token which can be used for [server-side
          validation](/sdks/server/challenges#validate-challenge).
        </ResponseField>

        <ResponseField name="userAuthenticator" type="object">
          Only present on first time verification e.g. enrollment.

          <Expandable title="properties">
            <ResponseField name="userAuthenticatorId" type="string" required>
              The ID of the Authsignal user authenticator.
            </ResponseField>

            <ResponseField name="verificationMethod" type="'SMS' | 'AUTHENTICATOR_APP' | 'EMAIL_MAGIC_LINK' | 'EMAIL_OTP' | 'PASSKEY' | 'PUSH' | 'SECURITY_KEY' | 'VERIFF' | 'IPROOV' | 'IDVERSE' | 'PALM_BIOMETRICS_BR'" required />

            <ResponseField name="createdAt" type="string" required>
              The date and time the authenticator was created in ISO 8601 format.
            </ResponseField>

            <ResponseField name="verifiedAt" type="string" required>
              The date and time the authenticator was first verified in ISO 8601 format.
            </ResponseField>

            <ResponseField name="lastVerifiedAt" type="string">
              The date and time the authenticator was last verified in ISO 8601 format.
            </ResponseField>

            <ResponseField name="isDefault" type="boolean" required>
              Whether the authenticator is the default authenticator for the user.
            </ResponseField>

            <ResponseField name="email" type="string">
              The email address of the authenticator. Only present for email authenticators e.g. email OTP and email magic link.
            </ResponseField>

            <ResponseField name="phoneNumber" type="string">
              The phone number of the authenticator. Only present for phone authenticators e.g. SMS/WhatsApp OTP.
            </ResponseField>

            <ResponseField name="previousSmsChannel" type="SMS | WHATSAPP">
              The previous SMS channel used to send the OTP code. Only present for phone authenticators e.g. SMS/WhatsApp OTP.
            </ResponseField>

            <ResponseField name="webauthnCredential" type="string">
              Only present for passkey authenticators.

              <Expandable title="properties">
                <ResponseField name="credentialId" type="string" required>
                  The ID of the passkey credential.
                </ResponseField>

                <ResponseField name="deviceId" type="string" required>
                  The device ID of the passkey credential.
                </ResponseField>

                <ResponseField name="name" type="string">
                  The name of the passkey credential.
                </ResponseField>

                <ResponseField name="aaguid" type="string">
                  The AAGUID of the passkey credential.
                </ResponseField>

                <ResponseField name="credentialBackedUp" type="boolean" required>
                  Whether the passkey credential is backed up.
                </ResponseField>

                <ResponseField name="credentialDeviceType" type="'singleDevice' | 'multiDevice'">
                  The device type of the passkey credential.
                </ResponseField>

                <ResponseField name="parsedUserAgent" type="object">
                  The parsed user agent of the passkey credential.

                  <Expandable title="properties">
                    <ResponseField name="ua" type="string" required>
                      The user agent of the passkey credential.
                    </ResponseField>

                    <ResponseField name="browser" type="object">
                      The browser of the passkey credential.

                      <Expandable title="properties">
                        <ResponseField name="name" type="string">
                          The name of the browser.
                        </ResponseField>

                        <ResponseField name="version" type="string">
                          The version of the browser.
                        </ResponseField>

                        <ResponseField name="major" type="string">
                          The major version of the browser.
                        </ResponseField>
                      </Expandable>
                    </ResponseField>

                    <ResponseField name="device" type="object">
                      The device of the passkey credential.

                      <Expandable title="properties">
                        <ResponseField name="model" type="string">
                          The model of the device.
                        </ResponseField>

                        <ResponseField name="type" type="string">
                          The type of the device.
                        </ResponseField>

                        <ResponseField name="vendor" type="string">
                          The vendor of the device.
                        </ResponseField>
                      </Expandable>
                    </ResponseField>

                    <ResponseField name="engine" type="object">
                      The engine of the passkey credential.

                      <Expandable title="properties">
                        <ResponseField name="name" type="string">
                          The name of the engine.
                        </ResponseField>

                        <ResponseField name="version" type="string">
                          The version of the engine.
                        </ResponseField>
                      </Expandable>
                    </ResponseField>

                    <ResponseField name="os" type="object">
                      The OS of the passkey credential.

                      <Expandable title="properties">
                        <ResponseField name="name" type="string">
                          The name of the OS.
                        </ResponseField>

                        <ResponseField name="version" type="string">
                          The version of the OS.
                        </ResponseField>
                      </Expandable>
                    </ResponseField>

                    <ResponseField name="cpu" type="object">
                      The CPU of the passkey credential.

                      <Expandable title="properties">
                        <ResponseField name="architecture" type="string">
                          The architecture of the CPU.
                        </ResponseField>
                      </Expandable>
                    </ResponseField>
                  </Expandable>
                </ResponseField>

                <ResponseField name="verifiedAt" type="string" required>
                  The date and time the passkey credential was verified in ISO 8601 format.
                </ResponseField>

                <ResponseField name="authenticatorAttachment" type="'platform' | 'cross-platform'">
                  The authenticator attachment of the passkey credential.
                </ResponseField>

                <ResponseField name="aaguidMapping" type="string">
                  The AAGUID mapping of the passkey credential.

                  <Expandable title="properties">
                    <ResponseField name="name" type="string" required>
                      The name of the AAGUID mapping.
                    </ResponseField>

                    <ResponseField name="svgIconLight" type="string">
                      The SVG icon of the AAGUID mapping in light mode.
                    </ResponseField>

                    <ResponseField name="svgIconDark" type="string">
                      The SVG icon of the AAGUID mapping in dark mode.
                    </ResponseField>
                  </Expandable>
                </ResponseField>
              </Expandable>
            </ResponseField>
          </Expandable>
        </ResponseField>

        <ResponseField name="failureReason" type="string">
          A structured code present if the verification failed due to user error. Possible values are:
          `CODE_INVALID_OR_EXPIRED` or `MAX_ATTEMPTS_EXCEEDED`.
        </ResponseField>
      </Expandable>
    </ResponseField>

    <ResponseField name="errorCode" type="string">
      See the [Error handling](/sdks/client/web/error-handling) section for more details.
    </ResponseField>

    <ResponseField name="errorDescription" type="string" />
  </Expandable>
</ResponseField>
