One Time Password (OTP) is a short code that is useful for user security authentication in an application. OTP is here to protect the personal data of user data when logging into the application. Its nature to maintain data security makes the data only activated in a few minutes. In addition, as an application service provider, you must also participate in maintaining the confidentiality of the OTP code that you send.
Generally, the OTP code is sent via SMS service. It’s just that there are many weaknesses in terms of data security if the OTP is sent via SMS. For that, it’s a good idea to start thinking about switching to using the WhatsApp Business API to send OTP codes. The end-to-end encryption feature on WhatsApp makes messages only readable by users. In addition to these advantages, fast delivery, delivery quotas, and characters are advantages of using the WhatsApp Business API.
Get the WhatsApp Business API service by partnering with Qiscus as the official WhatsApp Business partner in Indonesia. Qiscus provides WhatsApp Business API services in one dashboard called Qiscus Omnichannel. If you are interested in sending OTP via WhatsApp, it’s a good idea to start listening to the following tutorial.
Things to Know
There are several things that you must prepare before you can finally send the OTP code via the WhatsApp Business API, here are the details:
- To enable the WhatsApp Business API, you can contact Qiscus here.
- Activation of Qiscus Omnichannel Chat, for help you can contact us here.
- WhatsApp account integration with Qiscus Omnichannel Chat, use the documentation guide here to do the integration.
- Creating message templates to send OTP, see product documentation here for implementation.
Implementation
There are several steps that you must do after the Qiscus Omnichannel Chat setup is complete. Check out the steps as follows.
1. Authentication
You must get AdminToken authentication before finally sending OTP using WhatsApp Business API. Use the following API to get it.
Use the following API for Admin Token:
[POST] https://multichannel.qiscus.com/api/v1/auth
Sample Request Body
{
"email": "YOUR_EMAIL",
"password": "YOUR_PASSWORD",
}
Example Request
curl --location --request POST 'https://multichannel.qiscus.com/api/v1/auth' \
--form 'email=YOUR_EMAIL' \
--form 'password=YOUR_PASSWORD'
Example Response
{
"data": {
"user": {
"id": 2,
"name": "Qismo",
"email": "qiscus_xxxx_YOUR_EMAIL",
"authentication_token": "QEXevusxxxxxxxxxx1lsl8",
.......
},
"long_lived_token": "CztxxxxxxxxxxxxxxxjtS",
"user_configs": {
"notifagentjoining": null,
"is_notifagentjoining_enabled": true,
"notifmessagecoming": null,
"is_notifmessagecoming_enabled": false
}
}
}
2. Choosing The Template
If you have trouble creating message templates for OTP, Qiscus Omnichannel Chat has prepared several template options that you can use. Find more detailed message details here. To create a new template, you can go to the outgoing message menu on the Qiscus Omnichannel Chat dashboard. On the same page, you can also see the message templates that you have created.
Templates that have been created can also be viewed on the same page.
3. Using The API
After getting AdminToken and selecting a message template, the next step is using the API. In this tutorial, we will use sample template “otp_confirmation_text”. For detailed information about channel_id
, template_name
, namespace
, etc, click View on the selected template.
You can send WhatsApp OTP using this API:
[POST] https://multichannel.qiscus.com/api/v3/admin/broadcast/client
Header
Key | Type |
Authorization | {{AdminToken}} |
Body
Key | Type | Description |
channel_id | optional, if null will use first wa channel | Channel ID is the identifier of the channel |
template_name | required | Template name of the selected template |
namespace | required | Namespace of the selected template |
language | string, required | The language used in the selected template |
variables[] | array of string, required | The OTP code you want to send |
phone_number | string, required | The phone number you want to send the OTP to |
button_params | required if template has buttons | You only need to fill it out if the message template has button(s) |
Example request:
curl --location -g --request POST 'https://multichannel.qiscus.com/api/v3/admin/broadcast/client' \
--header 'Authorization: CztxxxxxxxxxxxxxxxjtS' \
--form 'channel_id: 7xx' \
--form 'template_name: otp_confirmation_text' \
--form 'namespace: 51dcd9a4_xxxx_xxxx_xxxx_xxxxxxbb5' \
--form 'language: id' \
--form 'variables[]: 5678' \
--form 'phone_number: +628xxxxxxx321' \
--form 'button_params:""'
Example response:
{
"data": {
"broadcast_job_id": xxx24,
"broadcast_logs": [
{
"id": 12371070,
"message_id": "gBGHxxxSGUDxsVcB",
"notes": null,
"phone_number": "+628xxxxxxx321",
"sent_at": "2022-07-29T03:47:14Z",
"status": "sent",
"variables": "[\"5678\"]"
}
],
"language": "id",
"name": "otp_confirmation_text",
"namespace": "51dcd9a4_xxxx_xxxx_xxxx_xxxxxxbb5"
},
"status": 200
}
The Result
This is how the message on the customer’s WhatsApp looks like
4. Checking if The Message was Sent
You can check whether an OTP code message was sent to the customer in two ways:
- Via the Qiscus dashboard
To see if an OTP message has been sent, you can view the broadcast history on the Send WhatsApp Broadcast Messages menu. Click See Log to get full information regarding the message.
There are 4 message delivery status:
- Sent: the message has been sent.
- Delivered: the message has been sent but has not been read by the customer.
- Read: customer has opened and read the message.
- Failed: your message failed to deliver.
You can see the status of the message in the detail log as shown below.
- Via Webhook
You can also view message status via Webhook. To do this, you have to setup API for the webhook URL.
API:
[POST] https://multichannel.qiscus.com/whatsapp/{{APP-ID}}/{{channel-id}}/settings
Header
Qiscus-App-Id : {{APP-ID}}
Qiscus-Secret-Key : {{Secret Key}}
content-type : application/json
You can get app_id
and secret_key
from Qiscus Omnichannel Chat dashboard in the Setting menu and then click App Information.
Body
{
"webhooks": {
"url": "YOUR_DOMAIN_URL.com/receive_webhooks"
}
}
Example request
curl -X POST \
https://multichannel.qiscus.com/whatsapp/evo-hxybzc3pcehtbokfv/779/settings \
-H 'Qiscus-App-Id: evo-hxybzc3pcehtbokfv' \
-H 'Qiscus-Secret-Key: xxxxxxxxxx' \
-H 'Content-Type: application/json' \
-d '{
"webhooks": {
"url": "YOUR_DOMAIN_URL.com/receive_webhooks"
}
}'
You can get your App ID and Qiscus Secret Key to authenticate in Qiscus Omnichannel Chat by following this page.
Example response
{
"business_id": "331765761667523",
"status": 200,
"webhooks": {
"url": "YOUR_DOMAIN_URL.com/receive_webhooks (http://your_domain_url.com/receive_webhooks)“
}
}
You can read the details about settings the webhooks in WhatsApp Business API in here.
5. In OTP Message Not Sent
There are several reasons why your OTP message is not being delivered to customers, namely:
- Your customer phone number is wrong
- The phone number is not registered on WhatsApp
If the OTP message is not delivered, you can do the following:
- Try again to send the message
- Use another method to send the OTP. For example, you can use other channels (e.g SMS, Email, and many more) that are integrated with Qiscus Omnichannel Chat.
Importance Notice
OTP is confidential and protects the personal data of your customers. To maintain confidentiality, you can hide the OTP variable on the Qiscus Omnichannel Chat dashboard. You can use the same API as the API to send WhatsApp OTP via Qiscus. However, to hide the variable and make it read-only by the customer, you must add hide_variables
in the body.
API:
[POST] https://multichannel.qiscus.com/api/v3/admin/broadcast/client
Header
Key | Type |
Authorization | {{AdminToken}} |
Body
Key | Type | Description |
channel_id | optional, if null will use first wa channel | Channel ID is the identifier of the channel |
template_name | required | Template name of the selected template |
namespace | required | Namespace of the selected template |
language | string, required | The language used in the selected template |
variables[] | array of string, required | The OTP code you want to send |
phone_number | string, required | The phone number you want to send the OTP to |
button_params | required if template has buttons | You only need to fill it out if the message template has button(s) |
hide_variables | true | hide_variables is used to hide OTP code in Qiscus Omnichannel Chat Inbox |
Example request
curl --location -g --request POST 'https://multichannel.qiscus.com/api/v3/admin/broadcast/client' \
--header 'Authorization: QEXevusxxxxxxxxxx1lsl8' \
--form 'channel_id: 7xx' \
--form 'template_name: otp_confirmation_text' \
--form 'namespace: 51dcd9a4_xxxx_xxxx_xxxx_xxxxxxbb5' \
--form 'language: id' \
--form 'variables[]:5678' \
--form 'phone_number:+628xxxxxxx321' \
--form 'button_params:""' \
--form 'hide_variables="true"'
Note:
You can get all the data AdminToken
, channel_id
, template_name
, namespace
, etc the same way as step 3.
Example response
{
"data": {
"broadcast_job_id": xxx24,
"broadcast_logs": [
{
"id": 12371070,
"message_id": "gBGHxxxSGUDxsVcB",
"notes": null,
"phone_number": "+628xxxxxxx321",
"sent_at": "2022-07-29T03:47:14Z",
"status": "sent",
"variables": "[\"5678\"]"
}
],
"language": "id",
"name": "otp_confirmation_text",
"namespace": "51dcd9a4_xxxx_xxxx_xxxx_xxxxxxbb5"
},
"status": 200
}
Result
This is how the hide_variables
will affect message on the Qiscus Omnichannel Chat dashboard.
Now that the WhatsApp Business API is ready to send OTPs to customers, make sure to test the delivery first.
Contact Qiscus for WhatsApp Business API Implementation
Qiscus Omnichannel Chat is a dashboard that contains all business conversation solutions for you. There are other solutions such as Chatbot and WhatsApp Chatbot that are useful for maximizing your business communication with customers. Feel free to contact us for a consultation and get the best offer. Contact Qiscus here.