WhatsApp OTP Integration Guide (Node.js, PHP, Python) – Mobile Number Verification Using WhatsApp

Verifying user mobile numbers is essential for sign-ups, password resets, and sensitive actions. In 2025, WhatsApp OTP is a strong alternative to SMS — it often delivers faster, with higher reliability and lower total cost per verified user when implemented correctly.

🔎 Why Use WhatsApp for OTP (Not Just SMS)?

• Better delivery: WhatsApp messages reach users over data — near 98–100% delivery for active users.
• Lower effective cost: One WhatsApp conversation window (24 hours) can carry multiple messages/OTPs, reducing per-OTP cost for repeated tries.
• Richer UX: Buttons, quick replies, and branded messages improve conversion vs plain SMS.
• No DLT hassle: In many cases WhatsApp flows avoid telecom DLT complexities tied to bulk transactional SMS.

⚙️ How WhatsApp OTP Works — Simple Workflow

1. User enters mobile number in your app.
2. Your backend generates a short-lived OTP (6 digits) and stores it securely (DB/Redis) with TTL.
3. Backend calls WhatsApp API (Wassy) to send the OTP template to the user's WhatsApp number.
4. User reads the OTP and either clicks a "Verify" button or enters the OTP in your app.
5. Your backend validates the OTP and completes verification.

📝 Recommended OTP Template

Your verification code is {{1}}.
It expires in 5 minutes.
Do not share this code with anyone.

Add buttons for Verify and Resend to boost UX and reduce friction.

💡 Security Best Practices

• OTP validity: 3–5 minutes.
• Rate limit: 1 OTP per 30 seconds; lock after 3 failed attempts.
• Store OTP hashed (or encrypted) with TTL in Redis for fast checks.
• Log OTP sends & verify events for fraud monitoring.

💸 Cost Comparison — WhatsApp OTP vs SMS (Practical)

Costs vary by provider and volume. Below is a clear, side-by-side comparison including Wassy's pricing.

Channel	Typical Price (India)	Notes
SMS OTP (Transactional)	₹0.18 – ₹0.35 / message	DLT, operator fees; delivery can be impacted by DND and network issues.
WhatsApp OTP (Generic providers)	₹0.10 – ₹0.35 / conversation or message	Conversation model allows multiple messages in 24h — effective per-OTP cost can be lower.
Wassy WhatsApp OTP	₹0.10 / message	Lowest published per-message rate — bulk discounts available. No Meta verification required.

Practical example: If a user requests OTP twice in 24 hours:
SMS: 2 × ₹0.20 = ₹0.40
Wassy WhatsApp: ~₹0.10 (single conversation or single message cost often applies) → massive savings on repeated attempts.

🔧 Wassy API — Quick Overview

Wassy provides a simple REST API to send templated WhatsApp messages (OTP-friendly). No Meta business verification headaches — connect and send. Below are practical examples for Node.js, PHP, and Python.

📦 Prerequisites

• Wassy account and API key (Dashboard → API Keys).
• Template created in Wassy dashboard: otp_message with one variable for the code.
• Server side runtime: Node.js / PHP / Python with HTTP client library.

🧩 Node.js — Send OTP Example

import axios from "axios";
import crypto from "crypto";

// Generate OTP and store in Redis/DB with TTL (example pseudo)
function generateOtp() {
return Math.floor(100000 + Math.random() * 900000).toString();
}

export async function sendOtpNode(phone) {
const otp = generateOtp();
// storeOtp(phone, otp, ttl=300) // implement storing

const payload = {
phone: phone, // E.g. "919876543210"
template_name: "otp_message",
variables: [otp]
};

const res = await axios.post("https://api.wassy.in/send
", payload, {
headers: {
Authorization: "Bearer YOUR_WASSY_API_KEY",
"Content-Type": "application/json"
}
});

return { success: res.data.success, otp };
}

🐘 PHP — Send OTP Example

 $phone, "template_name" => "otp_message", "variables" => [$otp] ]); $ch = curl_init("https://api.wassy.in/send"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); curl_setopt($ch, CURLOPT_HTTPHEADER, [ "Content-Type: application/json", "Authorization: Bearer YOUR_WASSY_API_KEY" ]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($ch); curl_close($ch); return json_decode($result, true); } ?>

🐍 Python — Send OTP Example

import requests
import random

def generate_otp():
return random.randint(100000, 999999)

def send_otp_python(phone):
otp = str(generate_otp())
# store_otp(phone, otp, ttl=300) # implement storing

payload = {
    "phone": phone,
    "template_name": "otp_message",
    "variables": [otp]
}

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer YOUR_WASSY_API_KEY"
}

resp = requests.post("https://api.wassy.in/send", json=payload, headers=headers)
return resp.json()

✅ Verify OTP (Common Server-side Logic)

After the user submits OTP, compare the submitted code with the stored one (use constant-time compare where possible). On success, mark the phone as verified and delete the OTP entry.

🔁 Handling Resend & Abuse Protection

• Allow resend only after 30 seconds.
• Limit resends to 3–5 times per hour per number.
• Use CAPTCHA or SMS fallback if abuse patterns detected.

📊 Metrics to Track

• OTP delivered rate (WhatsApp delivered vs failed).
• OTP verify success rate.
• Average time-to-verify.
• Resend rate and attempts per user.

🧾 Real World Cost Example (Illustrative)

For 100,000 verifications:

• SMS (avg ₹0.20) → ₹20,000 + DLT overheads
• WhatsApp via Wassy (flat ₹0.10/message) → ₹10,000

Because Wassy charges as low as ₹0.10 per message, and because WhatsApp conversations can carry multiple messages inside a 24-hour window, your effective cost per successful verification is typically much lower than SMS — especially when users request resends or multiple verification messages.

📌 When to Use SMS Instead

• If target users don't have smartphones or WhatsApp installed.
• When regulatory/legal requirements mandate SMS for specific workflows.
• As a fallback channel if WhatsApp delivery fails.

🚀 Final Recommendations

• Use WhatsApp OTP as the primary channel where users have WhatsApp — it improves delivery and reduces cost.
• Keep SMS as fallback for non-WhatsApp numbers.
• Store OTPs securely with short TTL in Redis and enforce rate limits.
• Instrument metrics to measure delivery, verification rates, and cost per verified user.

❓ FAQ

Q: Is WhatsApp OTP legal and safe?
Yes — when used with user consent and proper privacy handling. Follow local regulations for OTP and messaging consent.

Q: What if user doesn't have WhatsApp?
Use SMS fallback or prompt the user to enter a different number.

Q: Can I send OTPs in bulk?
Do not broadcast OTPs. Send per-user session messages via API to ensure privacy and deliverability.

🔗 Start Now with Wassy

Create a Wassy account, add your OTP template, generate an API key, and integrate using the examples above. With Wassy's low pricing of ₹0.10 per message, you can dramatically cut verification costs while improving delivery and UX.