Skip to main content
The Embed API uses an OTP (one-time password) flow to authenticate customers. This enables verified checkout without requiring the customer to have an existing account.

Authentication Flow

1

Start session

Send the customer’s phone number to receive an OTP code via WhatsApp (with SMS fallback).
2

Verify OTP

Submit the 4-digit code. If the customer exists, they are authenticated immediately. If new, they proceed to registration.
3

Complete registration (new customers only)

Provide name and email to create the customer account.
4

Use token

The returned Sanctum token is used for authenticated checkout endpoints.

Start Authentication

Sends an OTP code to the customer’s phone number via WhatsApp, falling back to SMS if WhatsApp delivery fails.

Headers

Request Body

Success Response (200)

Error Responses


Resend OTP

Resend the verification code via SMS. The original code is replaced with a new one.

Request Body

Success Response (200)

Error Responses

Resends always go via SMS, not WhatsApp. The verification code is regenerated on each resend, so only the latest code is valid.

Verify OTP

Submit the 4-digit OTP code to verify the customer’s phone number.

Request Body

Success Response - Existing Customer (200)

If the customer already exists in this store (or in another store on the platform), they are authenticated immediately:

Success Response - New Customer (200)

If no customer record exists for this phone number, the response indicates registration is needed:

Error Responses

Invalid code response example:
Customers get 3 attempts per OTP code. After exhausting all attempts, they must request a new code via the resend endpoint.

Complete Registration

Register a new customer after successful OTP verification. Only callable when the verify response returned status: "needs_registration".

Request Body

Success Response (200)

Error Responses


Validate Token

Check if a previously saved token is still valid for a specific product. Use this to restore a customer’s session without re-authenticating.

Headers

Request Body

Success Response (200)

Error Responses

Store the authentication token in localStorage and call this endpoint when the embed widget loads. If the token is valid, skip the OTP flow entirely and go straight to checkout.