WhatsApp OTP Docs
WhatsApp OTP Authentication
WhatsApp OTP authentication should be implemented as a backend security workflow. DNZ delivers the message, while your application controls identity state, verification records, expiry, and final access decisions.
Authentication model
Create a verification record for every request. Store userId or phone, purpose, code hash, expiry, attempts, and status. Purpose separation is important: a login code should not confirm a payment, and a recovery code should not authorize a new device.
Your backend calls DNZ `/api/send-otp` only after local checks pass. This keeps abuse controls close to your user model and keeps the DNZ API key private.
{
"apiKey": "wb_live_xxxxxxxxxxxxx",
"number": "+9647878785391",
"message": "Your login code is 482910. It expires in 5 minutes."
}Verification rules
Reject expired records, used records, and records above the attempt limit. After a successful match, mark the record as used before returning success to avoid race conditions.
For sensitive actions, require an existing authenticated session before requesting the OTP. The OTP becomes a second confirmation, not the only identity proof.