Conversation Authentication
Conversation authentication allows the agent to verify the user's identity before responding with sensitive information. The agent requests an identifying piece of data and validates the user against a configured database.
Conversation Authentication
When the agent has access to sensitive information — pay stubs, employee records, client data — it cannot respond to just anyone who sends a message. Conversation authentication solves this: the agent asks the user to identify themselves before accessing that information, and verifies that identity against the company's records.
What is it for?
Without authentication, anyone who knows the agent's WhatsApp number could query confidential information. With authentication, the agent verifies that the person asking has the right to see that information.
Conversation authentication is useful when:
- The agent handles payroll information, pay stubs, or employee records
- The agent provides access to client data or contracts
- Different users have access to different types of information based on their role
- Evidence is required that only authorized users accessed the data
How does it work?
The flow is simple for the user: the agent requests an identifying piece of data (employee number, ID, PIN) and looks it up in the configured collection. If the record exists and matches, the user is authenticated and the agent can respond with their specific data.
The process has three states:
| State | Meaning |
|---|---|
| Unidentified | The user has not yet identified themselves — no access to protected data |
| Pending | The user provided their identifying data but verification with OTP code is pending |
| Authenticated | Identity verified — the user can access their data according to their roles |
How to use it?
Configure authentication on an agent
Authentication is configured as an action tool of the "Authenticate conversation" type:
- Go to Tools and create a new tool of type System action.
- Select the action Authenticate conversation.
- Configure:
| Field | Description | Example |
|---|---|---|
| Collection | The database where users or employees are stored | "Employees" collection |
| Authentication field | The field the user must provide to identify themselves | "employee_number" or "id_number" field |
| Require OTP | Whether, in addition to identification, a verification code sent to the phone or email is required | Enable for highly sensitive data |
- Assign the tool to the agent along with the corresponding permissions and roles.
Define what information each user can see
In the employees or users collection, each record can have a roles field that defines what they can see when authenticated:
Example: The access_roles field in the employee record can have: ["view_own_payroll", "view_own_schedule"]. The agent only responds to payroll and schedule questions for that user — it does not give access to other employees' information.
Test the authentication flow
To verify it works correctly:
- Send a message to the agent as if you were an unidentified user.
- Ask something that requires authentication (e.g., "What was my salary this month?").
- The agent should request your employee number or ID before responding.
- Provide the identifying data.
- If you configured OTP, verify that the code arrives and that the verification works.
- After authenticating, the agent should respond only with your data, not that of others.
Key benefits
- The agent only responds with information belonging to the user who is asking — not to others
- No additional passwords — the identifying data already exists in the company's records
- Second factor with OTP code for especially sensitive information
- Access is automatically revoked by inactivity — no risky "eternal sessions"
- Roles control what information each user can see without additional configuration
- Compatible with WhatsApp and email — the same mechanism works in both channels
Common use cases
Scenario 1: HR agent for pay stub queries The company configures a WhatsApp agent for the HR area. The agent can query pay stubs for the last 6 months. Without authentication, any employee could request another's pay stub. With authentication by employee number, the agent requests the number before responding. Employee 1023 asks for their pay stub — the agent looks up employee 1023 and responds only with that specific employee's data.
Scenario 2: Client agent with sensitive data A service company has a WhatsApp agent for clients. Clients can check the status of their contracts and service orders. Authentication uses the tax ID or client number as the identifier. Once authenticated, the client can only see their own contracts — not those of other clients. If the client tries to query another's data (by mistake or intentionally), the agent does not have access to that data.
Scenario 3: Two-factor authentication for critical information A manufacturing company's payroll agent handles salary data. For this type of information, OTP verification is also activated. The employee provides their employee number (first factor), and the agent sends a 6-digit code to their registered phone (second factor). Only after verifying the code can they see their payroll data. If someone obtains another person's employee number, they cannot complete authentication without access to the registered phone.
Operational Dashboard
Real-time aggregated KPIs: alarms by severity, tasks by status, trends, anomalies, SLA, and heat maps. Comprehensive view of the operational health of your entire fleet.
OTP Code Verification
OTP verification adds a second security layer to the authentication process. After identifying themselves, the user receives a 6-digit code on their phone or email that they must enter to complete access.