One-Tap Autofill Authentication Templates with Hibot WhatsApp Business API

Bot Automation
Apr 7
5 min read

Updated: April 2026

One-Tap Autofill Authentication Templates in Hibot WhatsApp Business API make it easier and faster for users to verify their identity through WhatsApp.

Instead of manually copying and entering a verification code, users on Android can simply tap the Autofill button inside the WhatsApp message. Hibot then securely opens your app and automatically fills the OTP.

This creates a faster login experience, improves conversion rates, and reduces user friction.

Important: Starting April 15, 2026, the older PendingIntent-based handshake method will be deprecated. Hibot recommends using the WhatsApp OTP Android SDK for all new integrations.

How One-Tap Autofill Works

A one-tap authentication message sent through Hibot includes:

Verification code text
Optional security warning
Optional expiration warning
Autofill button for Android users

Typical message format:

123456 is your verification code.

For your security, do not share this code.

This code expires in 5 minutes.

[Autofill]

When the user taps Autofill:

WhatsApp launches your Android app
The verification code is securely passed to your app
Your app automatically fills the OTP field
The user completes login instantly

Upcoming Deprecation Notice

If your current implementation uses PendingIntent-based handshakes, you must migrate before April 15, 2026.

Deprecated method:

PendingIntent handshake
Manual request_id validation

Recommended replacement:

WhatsApp OTP Android SDK
Built-in handshake validation
Automatic OTP retrieval
Better security and simplified integration

Device Support

One-Tap Autofill is currently supported only on Android devices.

If the recipient is using:

Android → Autofill button appears
iPhone or other devices → Copy Code button appears automatically

Limitations:

No media supported
No URLs supported
No emojis supported

Creating a One-Tap Authentication Template

Use the Hibot WhatsApp Business API template endpoint to create an authentication template.

curl -X POST "https://graph.facebook.com/v25.0/WHATSAPP_BUSINESS_ACCOUNT_ID/message_templates" \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
  "name": "authentication_code_autofill_button",
  "language": "en_US",
  "category": "authentication",
  "message_send_ttl_seconds": 60,
  "components": [
    {
      "type": "body",
      "add_security_recommendation": true
    },
    {
      "type": "footer",
      "code_expiration_minutes": 10
    },
    {
      "type": "buttons",
      "buttons": [
        {
          "type": "otp",
          "otp_type": "one_tap",
          "text": "Copy Code",
          "autofill_text": "Autofill",
          "supported_apps": [
            {
              "package_name": "com.example.myapp",
              "signature_hash": "K8a/AINcGX7"
            }
          ]
        }
      ]
    }
  ]
}'

Important Template Fields

Field	Description
name	Unique template name
language	Template language such as en_US
category	Must be authentication
add_security_recommendation	Adds “For your security, do not share this code.”
code_expiration_minutes	Code expiry between 1 and 90 minutes
autofill_text	Label for the Android autofill button
text	Label for fallback Copy Code button
package_name	Android package name of your app
signature_hash	App signing key hash

Example values:

{
  "autofill_text": "Autofill",
  "text": "Copy Code",
  "code_expiration_minutes": 5,
  "package_name": "com.example.myapp",
  "signature_hash": "K8a/AINcGX7"
}

Supported Apps

You can configure up to 5 Android apps inside the same template.

This is useful when you have:

Production app
Beta app
Staging app
White-label builds

Example:

"supported_apps": [
  {
    "package_name": "com.example.app",
    "signature_hash": "K8a/AINcGX7"
  },
  {
    "package_name": "com.example.app.beta",
    "signature_hash": "AbC123XYZ89"
  }
]

How to Generate Your App Signature Hash

You must include your Android app signing key hash when creating the template.

Example command:

./sms_retriever_hash_v9.sh --package "com.example.myapplication" --keystore ~/.android/debug.keystore

Example output:

K8a/AINcGX7

This value must be exactly 11 characters long.

Step 1: Start the Handshake

Before sending the OTP message, your app must notify WhatsApp that an OTP is about to arrive.

This process is called a handshake.

Hibot strongly recommends using the WhatsApp OTP Android SDK.

Add the SDK in Gradle:

dependencies {
    implementation 'com.whatsapp.otp:whatsapp-otp-android-sdk:1.0.0'
}

repositories {
    mavenCentral()
}

Initiate the handshake:

WhatsAppOtpHandler whatsAppOtpHandler = new WhatsAppOtpHandler();
UUID handshakeId = whatsAppOtpHandler.sendOtpIntentToWhatsApp(context);

// Store this ID securely for later validation

The returned handshakeId must be stored because it will later be used to verify that the OTP is genuine.

Step 2: Configure Your Android Activity

Your app must define an activity that receives the OTP from WhatsApp.

Add this in AndroidManifest.xml:

<activity
   android:name=".ReceiveCodeActivity"
   android:enabled="true"
   android:exported="true">
   <intent-filter>
       <action android:name="com.whatsapp.otp.OTP_RETRIEVED" />
   </intent-filter>
</activity>

Step 3: Receive and Validate the OTP

Use the SDK to receive the code securely.

public class ReceiveCodeActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        WhatsAppOtpIncomingIntentHandler incomingIntentHandler =
            new WhatsAppOtpIncomingIntentHandler();

        String expectedHandshakeId = retrieveStoredHandshakeId();

        incomingIntentHandler.processOtpCode(
            getIntent(),
            expectedHandshakeId,
            (code) -> {
                validateCode(code);
            },
            (error, exception) -> {
                handleError(error, exception);
            }
        );
    }
}

The SDK automatically validates:

Handshake ID
OTP authenticity
Invalid or expired requests

Handshake Error Codes

Error Code	Meaning
HANDSHAKE_ID_MISSING	WhatsApp did not send a handshake ID
HANDSHAKE_ID_INVALID_FORMAT	Handshake ID is not a valid UUID
HANDSHAKE_ID_MISMATCH	Handshake ID does not match the stored value

Sending the Authentication Message

After the handshake starts, use Hibot WhatsApp Business API to send the authentication template.

curl -X POST "https://graph.facebook.com/v25.0/PHONE_NUMBER_ID/messages" \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
  "messaging_product": "whatsapp",
  "recipient_type": "individual",
  "to": "919999999999",
  "type": "template",
  "template": {
    "name": "verification_code",
    "language": {
      "code": "en_US"
    },
    "components": [
      {
        "type": "body",
        "parameters": [
          {
            "type": "text",
            "text": "123456"
          }
        ]
      },
      {
        "type": "button",
        "sub_type": "url",
        "index": 0,
        "parameters": [
          {
            "type": "text",
            "text": "123456"
          }
        ]
      }
    ]
  }
}'

Important:

The OTP value must appear twice:

Inside the body parameter
Inside the button parameter

Successful API Response

{
  "messaging_product": "whatsapp",
  "contacts": [
    {
      "input": "919999999999",
      "wa_id": "919999999999"
    }
  ],
  "messages": [
    {
      "id": "wamid.HBgLMTY1MDM4Nzk0MzkVAgARGBI4Qzc5QkNGNTc5NTMyMDU5QzEA"
    }
  ]
}

Why the Autofill Button May Not Appear

WhatsApp performs multiple checks before displaying the Autofill button.

If any check fails, users will see a Copy Code button instead.

The most common reasons are:

Handshake was never started
Handshake expired
Package name mismatch
Signature hash mismatch
No OTP receiving activity defined
Autofill button text missing

Eligibility checks include:

Handshake started within the last 10 minutes
Correct package name
Correct app signing hash
Matching handshake ID
Valid Android activity present

Detect Whether WhatsApp is Installed

Before offering WhatsApp login, you can check whether WhatsApp is installed on the user’s device.

Android example:

WhatsAppOtpHandler whatsAppOtpHandler = new WhatsAppOtpHandler();

if (whatsAppOtpHandler.isWhatsAppInstalled(context)) {
    // Show WhatsApp OTP option
}

Also add this in AndroidManifest.xml:

<queries>
    <package android:name="com.whatsapp" />
    <package android:name="com.whatsapp.w4b" />
</queries>

Check WhatsApp Installation on iPhone

let schemeURL = URL(string: "whatsapp://otp")!
let isWhatsAppInstalled = UIApplication.shared.canOpenURL(schemeURL)

If WhatsApp is not installed, you can fallback to:

SMS OTP
Email OTP
Manual code entry

Webhook for “I Didn’t Request This Code”

When a user taps “I didn’t request a code”, Hibot sends a webhook event.

Example payload:

{
  "button": {
    "payload": "DID_NOT_REQUEST_CODE",
    "text": "I didn't request a code"
  }
}

You can use this webhook to:

Detect suspicious login attempts
Block fraudulent sessions
Alert your security team
Force additional verification

Best Practices

To get the best results with Hibot One-Tap Autofill Authentication Templates:

Always use the OTP Android SDK
Store and validate the handshake ID
Keep OTP expiration under 10 minutes
Add a fallback Copy Code button
Test both WhatsApp and WhatsApp Business apps
Support multiple Android builds with supported_apps
Always provide SMS fallback for unsupported devices

Final Thoughts

One-Tap Autofill Authentication Templates help businesses deliver faster and more secure login experiences directly inside WhatsApp.

By integrating Hibot WhatsApp Business API with the new OTP Android SDK, businesses can:

Reduce OTP drop-offs
Improve sign-in speed
Increase conversion rates
Strengthen account security

If you are still using the older PendingIntent handshake flow, now is the right time to migrate before the April 15, 2026 deprecation deadline.