Skip to main content
Sending OTP codes as an unexpected first WhatsApp message is risky. WhatsApp is likely to ban or restrict accounts that send OTPs to users who did not start the conversation first.
If your flow sends OTP messages directly to new or inactive recipients, your WhatsApp account is much more likely to be reported, blocked, or banned.
The safer pattern is to make the user send the first WhatsApp message, then reply with the OTP. This creates clear user intent and gives the conversation context before your system sends the OTP.

Option 1: Build it yourself with webhooks

Use this option if you want full control over the verification flow.
1

Ask the user to message you first

Add a WhatsApp button or link in your app or website so the user starts the chat themselves.
2

Receive the incoming message

Configure WhatsApp webhooks to capture the user’s first message.
3

Implement your OTP logic

In your backend, detect the verification request, generate or validate the OTP, and connect it to the correct user session.
4

Reply using the WhatsApp API

Send the OTP back as a reply using the messaging endpoints in the WhatsApp API.
Keep the first user message simple, such as “verify”, “login”, or a short token tied to the current session.

Option 2: Use our existing OTP API

If you do not want to build the full flow yourself, use the existing OTP API.

Generate OTP Link

Create a WhatsApp OTP link that opens WhatsApp with a prepared message so the user can start the conversation first.
You can also use these endpoints directly: This is the recommended path if you want a faster implementation with less custom backend logic.

Best practice summary

  • Do not send OTPs as cold outbound WhatsApp messages.
  • Expect higher ban risk if your account starts OTP conversations by itself.
  • Prefer a flow where the user sends the first message.
  • Use webhooks if you want to build the logic yourself.
  • Use the OTP API if you want a ready-made flow.