A powerful WhatsApp-based OTP (One-Time Password) verification system that seamlessly integrates phone number verification into your websites and applications. Send 6-digit verification codes via WhatsApp and verify them through simple API endpoints.
- π Secure OTP Generation - Random 6-digit codes sent via WhatsApp
- β API-Based Verification - RESTful endpoints for easy integration
- πΎ MongoDB Storage - Secure and scalable OTP data management
- β° Auto-Expiration - OTPs expire after 10 minutes
- π‘οΈ Rate Limiting - Maximum 5 verification attempts per OTP
- π Real-time Dashboard - Monitor bot status and statistics
- π International Support - Works with phone numbers worldwide
- π Plugin System - Extensible architecture for custom features
- π± Multi-Session Support - Multiple session storage methods
- Runtime: Node.js 20.x
- WhatsApp Client: @whiskeysockets/baileys - WhatsApp Web API
- Web Framework: Express.js 4.x
- Database: MongoDB with Mongoose ODM
- Multi-file auth state with Baileys
- Session persistence across multiple providers:
- GitHub Repository Storage
- MongoDB API Storage
- MEGA.nz Cloud Storage
- Custom Ice/Darex Session Servers
- QR Code: qrcode-terminal - Terminal QR code generation
- Image Processing: Jimp - Image manipulation
- Date/Time: Moment.js - Time formatting and calculations
- HTTP Client: Axios - API requests
- File Type Detection: file-type
- Logging: Pino (P)
- Package Manager: npm
- Version Control: Git
- Deployment: Replit (recommended)
- WhatsApp account (phone number)
- MongoDB database (MongoDB Atlas recommended)
- Node.js environment (20.x or higher)
-
Clone or Deploy
git clone <repository-url> cd wa-otp-bot
-
Install Dependencies
npm install
-
Configure Environment
Add to Replit Secrets or create
.envfile:MONGODB_URI=your_mongodb_connection_string SESSION_ID=your_session_id (optional) PREFIX=. (default) MODE=public (public/private/inbox/groups)
-
Start the Bot
npm start
-
Scan QR Code
- Open WhatsApp on your phone
- Go to Settings β Linked Devices
- Scan the QR code displayed in terminal
-
Your OTP API is Live!
https://your-replit-app.replit.app
https://your-replit-app.replit.app
GET /api/sendotp?number=263719647303Response:
{
"success": true,
"message": "OTP sent successfully",
"phoneNumber": "263719647303",
"expiresIn": 600
}GET /api/verifyotp?number=263719647303&code=123456Response:
{
"success": true,
"message": "OTP verified successfully",
"phoneNumber": "263719647303"
}GET /api/statusResponse:
{
"success": true,
"bot": {
"connected": true,
"uptime": 3600,
"phoneNumber": "1234567890"
},
"stats": {
"total": 150,
"verified": 120,
"pending": 30,
"last24Hours": 45
}
}<script>
const API_URL = 'https://your-app.replit.app';
async function sendOTP(phone) {
const res = await fetch(`${API_URL}/api/sendotp?number=${phone}`);
return await res.json();
}
async function verifyOTP(phone, code) {
const res = await fetch(`${API_URL}/api/verifyotp?number=${phone}&code=${code}`);
return await res.json();
}
</script>const verifyPhone = async (phone, code) => {
try {
const response = await fetch(
`${API_URL}/api/verifyotp?number=${phone}&code=${code}`
);
const data = await response.json();
return data.success;
} catch (error) {
console.error('Verification failed:', error);
return false;
}
};const axios = require('axios');
app.post('/verify-user', async (req, res) => {
const { phone, otpCode } = req.body;
const response = await axios.get(
`${OTP_API}/api/verifyotp?number=${phone}&code=${otpCode}`
);
if (response.data.success) {
// User verified, proceed with registration
res.json({ verified: true });
} else {
res.status(400).json({ error: 'Invalid OTP' });
}
});.
βββ index.js # Main bot entry point & connection logic
βββ settings.js # Configuration settings
βββ lib/
β βββ command.js # Command registration system
β βββ functions.js # Utility functions
β βββ msg.js # Message handling utilities
β βββ otpRoutes.js # API endpoints & web dashboard
β βββ otpService.js # OTP generation & MongoDB logic
βββ plugins/
β βββ alive.js # Bot status command plugin
βββ session/ # WhatsApp session data (auto-generated)
βββ docs.md # Complete API documentation
βββ package.json # Dependencies & scripts
| Variable | Description | Default |
|---|---|---|
MONGODB_URI |
MongoDB connection string | Required |
SESSION_ID |
WhatsApp session ID | Optional |
PREFIX |
Bot command prefix | . |
MODE |
Bot mode (public/private/inbox/groups) | public |
PORT |
Server port | 5000 |
- public: Responds to everyone
- private: Owner only
- inbox: Private chats only
- groups: Group chats only
{
phoneNumber: String, // Formatted phone number
code: String, // 6-digit OTP code
verified: Boolean, // Verification status
attempts: Number, // Verification attempts count
createdAt: Date, // Creation timestamp
expiresAt: Date, // Expiration (10 mins)
verifiedAt: Date // Verification timestamp
}- β HTTPS recommended for production
- β Rate limiting (max 5 attempts per OTP)
- β Auto-expiration (10 minutes)
- β Secure MongoDB storage
- β Phone number validation
- β No OTP reuse after verification
- Verify WhatsApp Web is accessible
- Check session credentials
- Scan QR code again if needed
- Review console logs for errors
- Confirm bot status via
/api/status - Verify phone number format (with country code)
- Ensure recipient is on WhatsApp
- Check MongoDB connection
- Verify
MONGODB_URIis correct - Check database permissions
- Ensure MongoDB cluster is running
For complete API documentation and integration guides, see docs.md
Contributions are welcome! Please feel free to submit a Pull Request.
This project is open source and available under the MIT License.
Developer: Darrell Mucheri (Mr Frank)
Contact: +263719647303
GitHub: @mrfr8nk
- Baileys WhatsApp Web API team
- Open source community
- All contributors
Made with β€οΈ by Mr Frank (Darrell Mucheri)
β Star this repo if you find it helpful!
