Updated: April 2026

Zero-Tap Authentication Templates in Hibot WhatsApp Business API allow users to receive one-time passwords directly inside your Android app without opening WhatsApp or tapping any button.

When a user requests a login code in your app, WhatsApp automatically broadcasts the OTP to your app in the background. Your app instantly receives the code and fills it automatically.

From the user’s point of view, the verification code appears immediately inside the app with zero manual steps.

What Is Zero-Tap Authentication?

Zero-Tap Authentication is the fastest OTP experience available in WhatsApp Business API.

Unlike One-Tap Autofill, the user does not need to:

• Open WhatsApp

• Tap an Autofill button

• Copy and paste the OTP

Instead:

1. User requests OTP in your app

2. Your app initiates a secure handshake

3. Hibot sends the authentication template

4. WhatsApp automatically broadcasts the OTP

5. Your app captures and verifies the code instantly

Typical WhatsApp message shown to users:

123456 is your verification code.

The user may never even open the WhatsApp message because the OTP is already filled automatically inside the app.

Fallback Behavior

If Zero-Tap delivery fails for any reason, WhatsApp automatically falls back to:

1. One-Tap Autofill button

2. Copy Code button

For this reason, every Zero-Tap template must include:

• Zero-Tap configuration

• One-Tap Autofill text

• Copy Code button text

Even if users never see these fallback options.

Important Limitations

Zero-Tap Authentication only works on Android devices.

For non-Android devices:

• iPhone users receive a Copy Code button

• Unsupported devices receive a Copy Code button

Also note:

• Media is not supported

• URLs are not supported

• Emojis are not supported

• 
  

Best Practices Before Using Zero-Tap

Hibot recommends following these practices before enabling Zero-Tap OTP delivery:

• Do not make WhatsApp your only OTP delivery option

• Offer SMS or email as a fallback

• Tell users that the OTP will automatically appear inside the app

• Show a confirmation after the OTP is received successfully

• Explain how automatic verification works for user trust

Example message inside your app:

We’ll automatically fill your verification code from WhatsApp.

Create a Zero-Tap Authentication Template

Use the Hibot WhatsApp Business API template endpoint.

curl -X POST "https://graph.facebook.com/v25.0/WHATSAPP_BUSINESS_ACCOUNT_ID/message_templates" \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
  "name": "zero_tap_auth_template",
  "language": "en_US",
  "category": "authentication",
  "message_send_ttl_seconds": 60,
  "components": [
    {
      "type": "body",
      "add_security_recommendation": true
    },
    {
      "type": "footer",
      "code_expiration_minutes": 5
    },
    {
      "type": "buttons",
      "buttons": [
        {
          "type": "otp",
          "otp_type": "zero_tap",
          "text": "Copy Code",
          "autofill_text": "Autofill",
          "zero_tap_terms_accepted": true,
          "supported_apps": [
            {
              "package_name": "com.example.myapp",
              "signature_hash": "K8a/AINcGX7"
            }
          ]
        }
      ]
    }
  ]
}'

Required Template Fields

Example:

{
  "otp_type": "zero_tap",
  "text": "Copy Code",
  "autofill_text": "Autofill",
  "zero_tap_terms_accepted": true,
  "package_name": "com.example.myapp",
  "signature_hash": "K8a/AINcGX7"
}

You Must Accept Zero-Tap Terms

The field below is mandatory:

"zero_tap_terms_accepted": true

If this value is false, the template will not be created.

By enabling this option, you confirm that:

• Users expect automatic OTP delivery

• Your app clearly explains Zero-Tap behavior

• You comply with WhatsApp Business Terms

• 
  

Add Support for Multiple Android Apps

You can support up to 5 app builds in one template.

Example:

"supported_apps": [
  {
    "package_name": "com.example.app",
    "signature_hash": "K8a/AINcGX7"
  },
  {
    "package_name": "com.example.app.beta",
    "signature_hash": "ABc123XYZ89"
  }
]

This is useful for:

• Production apps

• Staging apps

• Beta apps

• White-label builds

• 
  

Generate the App Signing Key Hash

Your Android signing key hash is required.

Example command:

./sms_retriever_hash_v9.sh --package "com.example.myapplication" --keystore ~/.android/debug.keystore

Example result:

K8a/AINcGX7

The signature hash must always be exactly 11 characters.

Step 1: Install the OTP Android SDK

Hibot recommends using the official WhatsApp OTP Android SDK.

Add this to your Gradle file:

dependencies {
    implementation 'com.whatsapp.otp:whatsapp-otp-android-sdk:1.0.0'
}

repositories {
    mavenCentral()
}

Step 2: Start the Handshake

Before sending the Zero-Tap message, your app must notify WhatsApp that an OTP is coming.

WhatsAppOtpHandler whatsAppOtpHandler = new WhatsAppOtpHandler();
UUID handshakeId = whatsAppOtpHandler.sendOtpIntentToWhatsApp(context);

// Store this handshake ID securely

The returned handshake ID must be stored because it will later be validated when the OTP arrives.

Step 3: Create the Zero-Tap Broadcast Receiver

Add this to AndroidManifest.xml:

<receiver
   android:name=".OtpCodeReceiver"
   android:enabled="true"
   android:exported="true">
   <intent-filter>
       <action android:name="com.whatsapp.otp.OTP_RETRIEVED" />
   </intent-filter>
</receiver>

This receiver is automatically triggered when WhatsApp broadcasts the OTP.

Step 4: Receive and Validate the OTP

Use the SDK to securely receive the code.

public class OtpCodeReceiver extends BroadcastReceiver {

    @Override
    public void onReceive(Context context, Intent intent) {

        WhatsAppOtpIncomingIntentHandler handler =
            new WhatsAppOtpIncomingIntentHandler();

        String expectedHandshakeId = retrieveStoredHandshakeId();

        handler.processOtpCode(
            intent,
            expectedHandshakeId,
            (code) -> {
                validateCode(code);
            },
            (error, exception) -> {
                handleError(error, exception);
            }
        );
    }
}

The SDK automatically checks:

• OTP validity

• Handshake ID

• Expired requests

• Invalid broadcasts

• 
  

Optional One-Tap Fallback Activity

If Zero-Tap delivery fails, WhatsApp may still show a One-Tap Autofill button.

To support this fallback, add the following activity:

<activity
   android:name=".ReceiveCodeActivity"
   android:enabled="true"
   android:exported="true">
   <intent-filter>
       <action android:name="com.whatsapp.otp.OTP_RETRIEVED" />
   </intent-filter>
</activity>

Example activity:

public class ReceiveCodeActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        Intent intent = getIntent();

        String incomingRequestId = intent.getStringExtra("request_id");
        String storedRequestId = retrieveStoredRequestId();

        if (storedRequestId != null && storedRequestId.equals(incomingRequestId)) {
            String otpCode = intent.getStringExtra("code");
            validateCode(otpCode);
        }
    }
}

Why Zero-Tap May Fail

WhatsApp performs multiple eligibility checks before broadcasting the OTP.

If any check fails, the OTP will not be delivered automatically.

Checks include:

• Handshake started within the last 10 minutes

• Package name matches

• Signature hash matches

• Broadcast receiver exists

• Fallback activity exists

• Valid handshake ID present

If these checks fail:

• WhatsApp first tries One-Tap Autofill

• If that also fails, WhatsApp shows Copy Code

• 
  

Handshake Error Codes

Check Whether WhatsApp Is Installed

Before showing WhatsApp OTP as an option, detect whether WhatsApp is installed.

Add this to AndroidManifest.xml:

<queries>
    <package android:name="com.whatsapp" />
    <package android:name="com.whatsapp.w4b" />
</queries>

Then use:

WhatsAppOtpHandler whatsAppOtpHandler = new WhatsAppOtpHandler();

if (whatsAppOtpHandler.isWhatsAppInstalled(context)) {
    // Enable WhatsApp OTP option
}

Send the Zero-Tap Authentication Message

After the handshake starts, send the OTP template using Hibot WhatsApp Business API.

curl -X POST "https://graph.facebook.com/v25.0/PHONE_NUMBER_ID/messages" \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
  "messaging_product": "whatsapp",
  "recipient_type": "individual",
  "to": "919999999999",
  "type": "template",
  "template": {
    "name": "zero_tap_auth_template",
    "language": {
      "code": "en_US"
    },
    "components": [
      {
        "type": "body",
        "parameters": [
          {
            "type": "text",
            "text": "123456"
          }
        ]
      },
      {
        "type": "button",
        "sub_type": "url",
        "index": "0",
        "parameters": [
          {
            "type": "text",
            "text": "123456"
          }
        ]
      }
    ]
  }
}'

Important:

The OTP code must be sent twice:

• In the body parameter

• In the button parameter

• 
  

Example Successful Response

{
  "messaging_product": "whatsapp",
  "contacts": [
    {
      "input": "919999999999",
      "wa_id": "919999999999"
    }
  ],
  "messages": [
    {
      "id": "wamid.HBgLMTY1MDM4Nzk0MzkVAgARGBI4Qzc5QkNGNTc5NTMyMDU5QzEA"
    }
  ]
}

Final Thoughts

Zero-Tap Authentication Templates provide the fastest and most seamless login experience available through Hibot WhatsApp Business API.

Businesses using Zero-Tap can:

• Reduce OTP drop-offs

• Speed up login flows

• Improve conversion rates

• Eliminate manual OTP entry

• Deliver a premium mobile experience

However, because the older PendingIntent method will be deprecated on April 15, 2026, businesses should migrate to the OTP Android SDK as soon as possible.