As the digital front door to your brand, your login experience needs to be both secure and seamless. That’s why we built PAR Advanced Authentication—a foundational upgrade to how your guests sign in across mobile apps, online ordering, kiosks, and even POS.
With next-gen identity flows that balance security and speed, Advanced Authentication gives developers more control, IT teams greater protection, and brand administrators the flexibility to tailor every experience—without needing engineering support for every change.
Let’s dive into how it works and how to get started.
What Is Advanced Authentication?
- Seamless guest login experiences (via OTPs instead of passwords)
- Stronger protection against unauthorized access
- Customizable login methods per brand, managed without engineering effort
What Problem Are We Solving?
Prior to Advanced Authentication, Punchh primarily used email and password logins for mobile and online platforms, while POS systems relied on phone number lookups handled by a cashier.
Advanced Authentication enhances this with a more secure method: One-Time Passwords (OTPs). These are sent via SMS or email, eliminating the need for persistent passwords and reducing the risk of credential theft.
Behind the scenes, we use Proof Key for Code Exchange (PKCE)—a widely accepted security protocol outlined in IETF RFC 7636—to protect each login request with verified tokens and code challenges.
Real-World Use: Mobile App Login
- The user enters their phone number or email.
- An OTP is sent to the provided contact method.
- The user inputs the OTP into the app.
- If verified, secure tokens are issued and stored for future use.
- The user can now make authenticated API calls within the app.
- Brand Admin Tip: Want to customize the experience? You can enable Email, SMS, or both for your brand—no engineering help needed.
What’s Next: Expanding to New Channels
- Online Ordering — Same OTP-based login experience embedded into your ordering platform
- Kiosks — Users enter their details and receive an OTP, just like on mobile.
- POS — A cashier interface prompts the user for OTP verification.
Implementation Details for Developers
TL;DR – Software Changes at a Glance
Key API Calls:
- POST /api2/password_less/token – send OTP
- POST /api2/password_less/verify – verify OTP, receive tokens
- POST /api2/password_less/refresh_token – refresh access when expired
Required Headers:
- Authorization: Bearer
- id-token:
Handling Expired Tokens:
- Watch for 401 or token_expired errors
- Call the refresh token endpoint
- Store the new tokens securely
Deeper Dive: How It Works
- Send OTP to the user’s contact method
-
Verify OTP, which returns:
- access_token: Used to authorize future API calls
- id_token: Required in all authenticated headers (new!)
- refresh_token: Used to renew expired tokens
- When an access_token expires, call the refresh token API to get a new token set
All authenticated API requests now require both the access token and id token in the headers.
Developer Resources to Get You Started
Postman Collections
Our PAR Punchh Postman Collections provide ready-to-use API scenarios including:
- Sending and verifying OTPs
- Making secure API calls using access and id tokens
- Refreshing tokens when they expire
Sample Application (Coming Soon)
We’re also releasing a sample app in Python that walks you through:
- Setting up businesses and users
- Authenticating via email or phone
- Managing and refreshing tokens
- Making authenticated API calls
Ask your PAR Punchh representative to request access.
Looking Ahead
Advanced Authentication is just the beginning of a more secure, flexible guest experience across all digital touchpoints.
- Support for Online Ordering, Kiosks, and POS
- User sign-up APIs
- Even more customizable login journeys
