How to Send OTP via WhatsApp API Complete Guide 2026
A practical, production-ready guide for developers using Nabda OTP – the fastest WhatsApp OTP solution in Iraq (+964) and Syria (+963) and other countries.
Why Nabda OTP is the best choice for Iraq & Syria
Nabda OTP gives you direct access to WhatsApp without dealing with official Business API templates or Meta approval delays. Just create an instance and start sending OTPs instantly.
What you need to get started
- A Nabda OTP account
- One or more active instances (each instance = dedicated WhatsApp number)
- Instance-scoped token (Bearer token)
- Server-side OTP generation logic
Step-by-step: Send OTP using Nabda OTP API
Create and Select an Instance
After creating an instance from the dashboard, you must select it to get the instance token:
const res = await fetch("https://api.nabdaotp.com/api/v1/auth/select-instance", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ instanceId: "your-instance-id" })
});
const { accessToken } = await res.json();
// Store securely on your backend — never expose to the clientGenerate OTP on your backend
function generateOTP(length = 6) {
return Math.floor(
Math.pow(10, length - 1) +
Math.random() * (Math.pow(10, length) - Math.pow(10, length - 1))
).toString();
}
// Store hash (never store plain OTP)
const crypto = require('crypto');
const otp = generateOTP();
const hash = crypto.createHash('sha256').update(otp + secret).digest('hex');Send OTP via WhatsApp (Correct Endpoint)
const payload = {
phone: "+9647701234567", // Iraq (+964)
// phone: "+9639XXXXXXXX", // Syria (+963)
message: `Your Nabda verification code is ${otp}. Valid for 5 minutes. Do not share it.`
};
const response = await fetch("https://api.nabdaotp.com/api/v1/messages/send", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": `Bearer ${instanceToken}`
},
body: JSON.stringify(payload)
});
const result = await response.json();
if (result.success) {
console.log("✓ OTP sent via WhatsApp");
}Verify the OTP on your server
Always verify the OTP on the backend (never trust the client).
// On form submission — verify on the BACKEND, never the client
function verifyOTP(userInput, storedHash, secret) {
const inputHash = crypto
.createHash('sha256')
.update(userInput + secret)
.digest('hex');
return inputHash === storedHash;
}Optional: Configure Webhook for Delivery Status
await fetch("https://api.nabdaotp.com/api/v1/instances/webhook", {
method: "PATCH",
headers: {
"Content-Type": "application/json",
"Authorization": `Bearer ${instanceToken}`
},
body: JSON.stringify({
webhookUrl: "https://yourdomain.com/webhook/nabda",
webhookEnabled: true
})
});
// Your webhook handler receives events like:
// { event: "message.sent", phone: "+964...", status: "delivered" }Best Practices for Iraq & Syria
- Use E.164 format: +96477xxxxxxxx or +9639xxxxxxxx
- Keep OTP expiry between 3–8 minutes
- Send bilingual messages when possible (Arabic + English)
- Always include your brand name in the message
- Monitor webhook events for sent, delivered, and failures
Troubleshooting
401 Unauthorized → Make sure you selected the instance and using the instance token
Invalid phone → Must start with +964 or +963 or any other supported country code.
Message not received → Check that the instance is connected (QR code scanned)
Ready to start?
Create your first instance in seconds and start sending OTPs via WhatsApp today.