post-api-mobile-single_scan_tokens

Get Access Code (Redemptions 2.0)

This API returns the single-scan code containing a UUID string in the API response. The loyalty user can use the single-scan code to pay, earn, and redeem a reward/offer with a single scan at the POS store. The value of the single_scan_code parameter returned in the API response can then be passed as the otp (one-time passcode) with the lookup_field parameter in the request of the Find User POS API. The OTP is a short-lived token generated via mobile app to securely identify guest users at the POS. The token expiration can be configured in the Punchh platform (contact your Punchh representative for more information). A user can generate only one token at a time. Each token is 6-34 alphanumeric characters.

Note: This mobile API endpoint (POST {server-name}/api2/mobile/single_scan_tokens) used for Redemptions 2.0 is the same as the Generate a Single Scan Code mobile API endpoint. When using this API with Redemptions 2.0, the following offers parameters must NOT be included with the request body:

  • reward_id
  • redeemable_id
  • banked_reward_amount
  • coupon
  • redeemable_card_count
Headers
  • Accept
    Type: string
    required

    Advertises which content types the client is able to understand

  • Authorization
    Type: string
    required

    Used to authorize the request with access_token. It should be supplied as Bearer ACCESS_TOKEN_GOES_HERE. Note: When authentication is performed using Advanced Authentication, you must include the id_token in the id-token header and the access_token in the Authorization header. See Access Punchh APIs Using Access and ID tokens

  • User-Agent
    Type: string
    required

    Used to Identify the software, device, and application initiating the request, providing information about the client to the server. For details, see User Agent.

  • punchh-app-device-id
    Type: string
    required

    The app device ID helps Punchh identify each device so that certain rewards can be awarded individually to each device instead of per user. For example, the sign-up reward is given to each device ID to prevent fraudulent sign-ups so that a user cannot do repeated sign-ups from a single device to get rewards. It should not change even if the user resets a device. See the sample code to generate the punchh-app-device-id header.

  • Content-Type
    Type: string
    required

    Set this header to application/json.

  • x-pch-digest
    Type: string
    required

    The signature for the API call

  • id-token
    Type: string

    A token that contains identity information about the authenticated user. It is used to verify the user’s identity and is required only when authentication is performed using Advanced Authentication. This token alone does not grant access to Punchh APIs. To access the APIs, you must include the id_token in the id-token header and the access_token in the Authorization header. See Access Punchh APIs Using Access and ID tokens

Body
application/json
  • client
    Type: string
    required

    OAuth client ID provided by the business

  • gift_card_uuid
    Type: string

    Identification number for gift card

  • payment_type
    Type: string

    Method of payment. Accepted values: CreditCard and GiftCard

  • tip
    Type: string

    Discretionary amount for tipping

Responses
  • 200
    Type: object
    • created_at
      Type: stringFormat: date-time

      Token creation timestamp, in YYYY-MM-DDThh:mm:ss format

    • expires_in
      Type: stringFormat: date-time

      Token expiration timestamp, in YYYY-MM-DDThh:mm:ss format. The token TTL (time to live) is 5-10 minutes.

    • single_scan_code
      Type: string

      6-digit token (one time authentication code)

  • 400
    Type: object
  • 422
    Type: object
post/api2/mobile/single_scan_tokens
{
  "expires_in": "2025-12-19T16:30:02.130Z",
  "created_at": "2025-12-19T16:30:02.130Z",
  "single_scan_code": "string"
}

OK