nOTP (WhatsApp) Settings

Customize your nOTP authentication from the Descope console (Authentication Methods > nOTP).

A one-time password (OTP) is an automatically generated string sent to the user during the onboarding (sign-up or sign-in) process to authenticate that user. The WhatsApp account will be waiting for the user to insert this OTP to continue the authentication process.

Enable Method in API and SDK

The Enable method in API and SDK toggle controls whether nOTP authentication can be invoked programmatically via APIs and SDKs.

  • When enabled: Authentication works via flows, APIs, and SDKs
  • When disabled: Authentication only works with flows or calls made with a valid management key

Available Settings

This section describes additional details about the configuration options available.

Expiration Time

Define length of time after which link or code expires. For increased security, we recommend an expiration time of 3-5 minutes. A shorter expiration time limits how long a malicious actor has to attempt an attack (such as a dictionary or brute force attack) on the code or link.

Allow Unverified Recipient Email Addresses or Phone Numbers

Note

Enabling this option may increase the risk of spam and fraud.

By default, messages are sent only to verified email addresses or phone numbers. When enabled, this option allows messages to be sent to unverified email addresses or phone numbers.

Connector

Configure the connector to utilize to send the nOTP message (See below for connector details). The default is Descope.

WhatsApp Connector Setup

Add your own WhatsApp business account for nOTP authentication from the Descope console (Connectors > WhatsApp Chat). This will allow you to customize the messages (verification approval, error) if needed.

Prerequisites

  1. WhatsApp business account
  2. Set up Webhooks

Connector Setup

  • Connector name: Custom name for your connector. This will come in handy when creating multiple connectors from the same connector template.
  • Connector description: Describe what your connector is used for.
  • Phone Number ID: The WhatsApp unique phone number ID for the account phone number. See WhatsApp documentation above for more details
  • Phone Number: The WhatsApp account phone number. See WhatsApp documentation for more details
  • Token: The authentication token associated with the phone number Id.
  • App Secret: The app secret associated with the WhatsApp Web Application.
  • Webhook Verify Token: The webhook verify token associated with the WhatsApp Web Application.

Templates (Verification, Approval, Error)

If you are using a customized connector, you can change the templates of the message which your user will receive. The default is System.

You can use your WhatsApp business account to set up templates.

Descope nOTP customize messages

Additional Steps

You need to configure the webhook in the WhatsApp Web Application:

  • Callback URL: set https://api.descope.com/v1/whatsapp/webhook/<your-project-id>
  • Verify Token: set the webhook verify token associated with the WhatsApp Web Application. Read more about setting up webhooks in the WhatsApp Business API settings on the Developer Facebook Docs.
TriangleAlert

Important Note

In order to save the callback URL in WhatsApp app, you need to set the connector in the nOTP authentication page.

Was this helpful?

On this page