Send OTP

post-api-auth-password_less-token

Send OTP

Triggers an email or SMS to send an OTP (One-Time Password) depending on the communication channel (Email, SMS or both) configured for the business on the Punchh platform.

Prerequisites
The Advanced Authentication feature must be enabled for the business in the Punchh platform; otherwise, the API request will return an error. Contact your Punchh representative for more information about this Punchh platform configuration.

For more information, see Advanced Authentication.

Headers

Accept
Type: string
required

Advertises which content types the client is able to understand
User-Agent
Type: string
required

For details, see User Agent.
Content-Type
Type: string
required

Set this header to application/json
punchh-app-device-id
Type: string
required

The app device ID helps Punchh identify each device so that certain rewards can be awarded individually to each device instead of per user. For example, the sign-up reward is given to each device ID to prevent fraudulent sign-ups so that a user cannot do repeated sign-ups from a single device to get rewards. It should not change even if the user resets a device. See the sample code to generate the punchh-app-device-id header.

Body

application/json

If the email address or phone number is not provided, the API returns a communication channel missing error when both communication channels are enabled for the business.
If the phone number is provided but phone is not enabled as a communication channel for the business, the API returns a parameter missing error for phone.
If the email address is provided but the email is not enabled as a communication channel for the business, the API returns a parameter missing error for email.
If the validation method enabled for the business is not provided in the request, the API returns a validation method missing error for the validation method that is enabled.

Contact your Punchh representative for more information about these Punchh platform configurations.

client
Type: string
required

OAuth client ID provided by the business
code_challenge
Type: string
required

The base64url-encoded SHA-256 hash of the code_verifier, a random string generated by the mobile or online app. See PKCE Flow for details.
email
Type: string

Email address of the user where the OTP will be sent. Either email or phone is required.
phone_ext
Type: string

Value represents the country code enabling support for international phone numbers. It should be preceded by a +, i.e. +1 (Country code for the US and Canada).
phone_number
Type: string

Phone number of the user where the OTP will be sent. Either email or phoneis required. Providing an incorrect phone number results in an undelivered SMS message.
privacy_policy
Type: boolean
required

Indicates whether the user has agreed to the business's privacy policy. Possible values: true, false. This parameter must be set to "true" for a successful API call. If the parameter is not specified or set to "false", the API returns a 422 error with the message: "Please agree on given privacy policy".
terms_and_conditions
Type: boolean
required

Indicates whether the user has accepted the business’s terms and conditions. Possible values: true, false. This parameter must be set to "true" for a successful API call. If the parameter is not specified or set to "false", the API returns a 422 error with the message: "Please agree on given terms and conditions".
validation_method
Type: string

Method used to validate the user. Possible values: otp

Responses

200
Type: object
data
Type: object
400
Type: object
errors
Type: object
404
Type: object
errors
Type: object
412
Type: object
errors
Type: object
422
Type: object
errors
Type: object
503
Type: object
errors
Type: object

post/api2/password_less/token

Show Schema

{
  "data": {
    "message": [
      "string"
    ]
  }
}