Flow Overview
- Start — Send phone number or email to receive an OTP code
- Verify — Submit the OTP code to verify identity
- Complete — (New customers only) Provide name and email to finish registration
POST /auth/start
Start an authentication session. Auto-detects the type based on provided fields.Authentication
None required (guest endpoint).Request
Headers
Body Parameters
Provide either
country_code + phone for phone authentication, or email for email authentication. The API auto-detects which flow to use.Example Request
Response
Success (200)
Error Responses
POST /auth/phone/start
Dedicated phone authentication endpoint. Behaves identically toPOST /auth/start with phone parameters but enforces phone-specific validation.
Body Parameters
POST /auth/initiate
Legacy authentication endpoint. Accepts atype field and nested data object instead of top-level fields.
Authentication
None required (guest endpoint).Body Parameters
Response
Same asPOST /auth/start.
POST /auth/verify
Verify the OTP code sent to the customer’s phone or email.Authentication
None required (guest endpoint).Request
Headers
Body Parameters
Example Request
Response
Existing Customer (200)
When the customer already exists in this store:Customer From Another Store (200)
When the customer exists in another store but not in this one, a new customer record is automatically created for this store:The
type field can be either "authenticated" (existing customer in this store) or "new_customer" (auto-created from another store). Both cases return a token and the customer can proceed immediately.New Customer (200)
When the phone/email is not registered in any store, the response indicates registration is required:Error Responses
POST /auth/phone/verify
Dedicated phone verification endpoint. Behaves identically toPOST /auth/verify.
POST /auth/resend
Resend the OTP code for an active session.Authentication
None required (guest endpoint).Request
Body Parameters
Example Request
Response
Success (200)
Error Responses
POST /auth/phone/resend
Dedicated phone resend endpoint. Behaves identically toPOST /auth/resend.
POST /auth/complete
Complete registration for new customers after OTP verification.Authentication
None required (guest endpoint). Requires a verified session token.Request
Body Parameters
Example Request
Response
Success (200)
Error Responses
Rate Limits Summary
Session Expiry
OTP sessions expire after 5 minutes. Expired sessions are automatically cleaned up. If a session expires, the customer must restart the authentication flow fromPOST /auth/start.
